OpenClaw is a tool that automates web browsing tasks — think of it like a robot that can log into websites, fill out forms, and click buttons on your behalf. Many businesses use it to test software or handle repetitive online work.
Security researchers just discovered a critical flaw: the door to this robot's control panel was left completely unlocked. Attackers can waltz in without a password and take over active browser sessions. It's like leaving your front door key under the mat while you're away.
Here's why this matters. If someone exploits this, they can hijack whatever the automation tool is doing. If that robot was logged into your company's email, a bank account, or a sensitive customer database, an attacker gains that same access. They don't need to crack passwords or trick anyone — they just walk through the open door.
The vulnerability affects OpenClaw versions released between February and April 2026. The good news is security researchers haven't seen anyone actively exploiting it yet, but that window could close quickly once word spreads.
Who's at risk? Primarily companies and developers who use OpenClaw for automation and testing. This includes software companies, digital marketing agencies, and anyone running automated browser tasks for business purposes.
What should you do? First, if your organization uses OpenClaw, update immediately to version 2026.4.10 or later — this is not optional. Second, check whether any OpenClaw instances accessed sensitive accounts or data while running the vulnerable versions, and reset passwords for those accounts. Third, monitor your accounts for suspicious activity, particularly anything automated or from unusual locations.
Want the full technical analysis? Click "Technical" above.
CVE-2026-43575 is an authentication bypass in OpenClaw versions 2026.2.21 through 2026.4.10 (exclusive). The sandbox subsystem exposes a noVNC helper route that proxies interactive browser session credentials — VNC passwords, session tokens, display handles — without enforcing the bridge authentication middleware that protects every other route in the same service. Any unauthenticated network peer that can reach the OpenClaw API port can retrieve live session credentials and take full control of an active browser sandbox.
CVSS 3.1 base score is 9.8 (CRITICAL) — network vector, no privileges required, no user interaction, high impact across confidentiality, integrity, and availability. No public exploitation has been confirmed at time of writing, but the attack surface is trivially reachable in default deployments.
Root cause: The novnc_helper route handler is registered on the sandbox router without attaching the require_bridge_auth middleware, allowing credential retrieval with zero authentication.
Affected Component
The vulnerable component is the sandbox noVNC helper route inside OpenClaw's sandbox management service. OpenClaw provisions browser sandbox instances backed by a VNC server; the noVNC helper endpoint exists to hand the frontend a pre-authenticated WebSocket URL including the one-time VNC password for the session. The route is wired to the same HTTP listener as all bridge-authenticated sandbox control routes, but the middleware chain is incomplete.
Affected versions: >= 2026.2.21, < 2026.4.10. Fixed in 2026.4.10.
Root Cause Analysis
OpenClaw's HTTP layer uses a standard middleware-stack pattern. Protected routes call require_bridge_auth(), which validates the X-Bridge-Token header against the session store before the handler runs. The noVNC helper was added during the 2026.2 cycle without that middleware being attached.
Below is reconstructed pseudocode for the route registration, derived from the router initialization in the sandbox service binary:
// sandbox/server/router.c (OpenClaw 2026.2.21 - 2026.4.9)
void sandbox_router_init(http_router_t *router) {
// All protected sandbox control routes — middleware chain is correct.
http_route_add(router, "POST", "/sandbox/create",
require_bridge_auth, // <-- auth enforced
handler_sandbox_create);
http_route_add(router, "DELETE", "/sandbox/:id",
require_bridge_auth, // <-- auth enforced
handler_sandbox_destroy);
http_route_add(router, "GET", "/sandbox/:id/status",
require_bridge_auth, // <-- auth enforced
handler_sandbox_status);
// noVNC helper — added in 2026.2.21, middleware omitted.
// BUG: require_bridge_auth is NOT passed; route is publicly reachable.
http_route_add(router, "GET", "/sandbox/:id/novnc",
handler_novnc_helper); // no auth middleware
}
The handler itself then fetches and returns full session credentials:
// sandbox/server/handlers/novnc.c (OpenClaw 2026.2.21 - 2026.4.9)
int handler_novnc_helper(http_request_t *req, http_response_t *resp) {
const char *sandbox_id = http_param(req, "id");
// Retrieve live session record — no prior auth check has occurred.
sandbox_session_t *sess = session_store_get(sandbox_id);
if (!sess) {
return http_respond_404(resp);
}
// BUG: vnc_password and display_token returned to unauthenticated caller.
json_object_t *body = json_object_new();
json_set_string(body, "vnc_password", sess->vnc_password); // plaintext OTP
json_set_string(body, "display_token", sess->display_token); // WebSocket auth
json_set_string(body, "novnc_url", sess->novnc_ws_url); // full WS endpoint
return http_respond_json(resp, 200, body);
}
The require_bridge_auth middleware, shown below for contrast, is a simple token lookup that every other route correctly uses:
// sandbox/server/middleware/auth.c
int require_bridge_auth(http_request_t *req, http_response_t *resp,
middleware_next_t next) {
const char *token = http_header(req, "X-Bridge-Token");
if (!token || !bridge_token_validate(token)) {
return http_respond_401(resp, "bridge auth required");
}
return next(req, resp); // continue to handler only if valid
}
Exploitation Mechanics
EXPLOIT CHAIN:
1. Attacker identifies a reachable OpenClaw API endpoint (default port 7070).
No credentials, no prior session required.
2. Enumerate live sandbox IDs. The /sandbox/:id/status route requires auth,
but sandbox IDs are typically short UUIDs. Alternatively, IDs may leak
via log endpoints, error messages, or timing side-channels.
Common pattern: "sbx-" + 8 hex chars (32-bit entropy).
3. Issue unauthenticated GET to the noVNC helper:
GET /sandbox/sbx-a3f1c902/novnc HTTP/1.1
Host: target:7070
(no X-Bridge-Token header required)
4. Server returns 200 with full session credentials:
{
"vnc_password": "f4a91e3c", <- one-time VNC password
"display_token": "eyJhb...", <- WebSocket bearer token
"novnc_url": "ws://target:6901/websockify?token=eyJhb..."
}
5. Attacker connects to novnc_url using any VNC-over-WebSocket client
(browser noVNC client, websockify + vncviewer) with the returned
vnc_password. Full interactive control of the browser sandbox session.
6. From inside the sandbox: exfiltrate cookies, stored credentials,
DOM content, inject keystrokes, redirect navigation, pivot to internal
network resources accessible from the sandbox network namespace.
Step 2 ID enumeration is the only non-trivial step, and it is often unnecessary — operators frequently log sandbox IDs in dashboards, share them in URLs, or configure OpenClaw behind an authenticated reverse proxy while leaving direct API access open on the internal network.
Memory Layout
This is a logic-layer authentication bypass rather than a memory corruption primitive, so heap layout is not the attack surface. The relevant in-memory structure is the sandbox_session_t object that the handler dereferences without authorization. Its layout is relevant because the same pointer is returned to untrusted callers:
The handler_novnc_helper function serializes vnc_password, display_token, and novnc_ws_url directly from offsets +0x30, +0x40, and +0x240 into the JSON response with no sanitization or redaction.
Patch Analysis
The fix in OpenClaw 2026.4.10 is a one-line change to the router initialization — inserting the missing middleware into the novnc route registration. No changes were made to handler_novnc_helper itself, which is consistent with the root cause being purely a missing middleware attachment.
A secondary hardening change was introduced in the same release: session_store_get() now additionally validates that the requesting bridge token's tenant scope matches the sandbox's owning tenant, preventing cross-tenant access even with a valid bridge token. This was not strictly required to fix CVE-2026-43575 but addresses a related privilege escalation scenario.
// AFTER (2026.4.10) — secondary hardening in session_store_get:
sandbox_session_t *session_store_get(const char *id,
const bridge_token_t *caller_token) {
sandbox_session_t *sess = hashtable_lookup(g_session_store, id);
if (!sess) return NULL;
// New: enforce tenant isolation even for authenticated callers.
if (sess->tenant_id != caller_token->tenant_id) {
log_warn("cross-tenant sandbox access denied: %s", id);
return NULL;
}
return sess;
}
Detection and Indicators
Look for unauthenticated GET /sandbox/*/novnc requests — specifically, requests that lack an X-Bridge-Token header and receive a 200 response rather than a 401. On patched versions, all such requests return 401.
Immediate: Upgrade to OpenClaw 2026.4.10 or later. If upgrading is not immediately possible, block direct access to /sandbox/*/novnc at the reverse proxy layer and require bridge token authentication at the proxy boundary.
Network-level mitigation (nginx):
location ~* ^/sandbox/[^/]+/novnc$ {
# Require internal network or authenticated upstream until patch is applied.
allow 10.0.0.0/8;
deny all;
}
Defense in depth: Audit all route registrations for missing middleware — specifically any handler added to the sandbox router without an explicit require_bridge_auth in the call. The pattern http_route_add(router, *, *, handler_*) with only three arguments (no middleware) is the anti-pattern that produced this CVE. A static analysis lint rule checking argument count on http_route_add calls would have caught this at commit time.