Sandbox noVNC helper route exposed interactive browser session credentials.
openclaw>= 2026.2.21 < 2026.4.10>= 2026.4.10The sandbox noVNC helper route could be reached without the intended bridge authentication, exposing an interactive browser session surface.
The fix gates the sandbox noVNC helper route behind bridge authentication.
The issue was fixed in #63882. The first stable tag containing the fix is v2026.4.10, and [email protected] includes the fix.
8dfbf3268bd224b7377d1ecca77a445100746085Users should upgrade to openclaw 2026.4.10 or newer. The latest npm release, 2026.4.14, already includes the fix.
Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 6.9 | 4.0 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-92jp-89mq-4374 ↗ |
| CWE id | Name |
|---|---|
| CWE-306 | Missing Authentication for Critical Function |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | >= 2026.2.21, < 2026.4.10 | 2026.4.10 | — |