AI Threat Alert
GHSA-92jp-89mq-4374: openclaw: auth bypass exposes sandbox browser session
GHSA-92jp-89mq-4374 MEDIUMThe openclaw npm package (versions 2026.2.21 to 2026.4.10) contained a missing authentication check on its sandbox noVNC helper route, allowing any unauthenticated network actor to access the interactive browser session used by AI agents — no credentials required. This is particularly concerning for an AI agent framework where sandboxed browser sessions routinely contain in-flight credentials, API tokens, and access to internal web applications being navigated autonomously. The package carries 135 prior CVEs, and AIID #1368 documents that openclaw's ecosystem has already been actively abused for credential exfiltration via malicious skills, making unauthenticated browser session access a high-value primitive for adversaries already targeting this surface. Teams should upgrade to openclaw 2026.4.10 or later immediately; if patching is not feasible, restrict the noVNC helper route to localhost or trusted IP ranges at the reverse proxy layer and rotate any credentials that may have been visible in browser sessions.
What is the risk?
Medium severity with elevated contextual risk for AI agent deployments. The flaw is trivially exploitable — CWE-306 requires no authentication to bypass, only a network path to the endpoint. The blast radius per deployment is significant: full visibility into and potential interactive control over AI agent browser sessions. Population-level risk is constrained by only 4 downstream dependents and no CISA KEV listing. However, the documented abuse history in AIID #1368 (malicious openclaw skills exfiltrating credentials via ClawHub) demonstrates that adversaries are already familiar with openclaw's attack surface, and this authentication bypass provides a complementary unauthenticated credential access path that requires no social engineering or supply chain compromise.
How does the attack unfold?
What systems are affected?
| Package | Ecosystem | Vulnerable Range | Patched |
|---|---|---|---|
| OpenClaw | npm | >= 2026.2.21, < 2026.4.10 | 2026.4.10 |
Do you use OpenClaw? You're affected.
How severe is it?
What should I do?
5 steps-
Upgrade openclaw to version 2026.4.10 or later; npm package 2026.4.14 is the current stable release containing the fix.
-
If immediate patching is not feasible, block network access to the noVNC helper route at the firewall or reverse proxy — restrict to localhost or trusted management IP ranges only.
-
Audit web server and application logs for unauthorized requests to the noVNC endpoint during the exposure window.
-
Rotate all credentials, API tokens, and session cookies that may have been visible in browser sessions on affected instances.
-
Assess whether openclaw was network-accessible or restricted to localhost — deployments bound only to loopback have significantly reduced exposure and lower remediation urgency.
How is it classified?
Which compliance frameworks are affected?
This CVE is relevant to:
Frequently Asked Questions
What is GHSA-92jp-89mq-4374?
The openclaw npm package (versions 2026.2.21 to 2026.4.10) contained a missing authentication check on its sandbox noVNC helper route, allowing any unauthenticated network actor to access the interactive browser session used by AI agents — no credentials required. This is particularly concerning for an AI agent framework where sandboxed browser sessions routinely contain in-flight credentials, API tokens, and access to internal web applications being navigated autonomously. The package carries 135 prior CVEs, and AIID #1368 documents that openclaw's ecosystem has already been actively abused for credential exfiltration via malicious skills, making unauthenticated browser session access a high-value primitive for adversaries already targeting this surface. Teams should upgrade to openclaw 2026.4.10 or later immediately; if patching is not feasible, restrict the noVNC helper route to localhost or trusted IP ranges at the reverse proxy layer and rotate any credentials that may have been visible in browser sessions.
Is GHSA-92jp-89mq-4374 actively exploited?
No confirmed active exploitation of GHSA-92jp-89mq-4374 has been reported, but organizations should still patch proactively.
How to fix GHSA-92jp-89mq-4374?
1. Upgrade openclaw to version 2026.4.10 or later; npm package 2026.4.14 is the current stable release containing the fix. 2. If immediate patching is not feasible, block network access to the noVNC helper route at the firewall or reverse proxy — restrict to localhost or trusted management IP ranges only. 3. Audit web server and application logs for unauthorized requests to the noVNC endpoint during the exposure window. 4. Rotate all credentials, API tokens, and session cookies that may have been visible in browser sessions on affected instances. 5. Assess whether openclaw was network-accessible or restricted to localhost — deployments bound only to loopback have significantly reduced exposure and lower remediation urgency.
What systems are affected by GHSA-92jp-89mq-4374?
This vulnerability affects the following AI/ML architecture patterns: agent frameworks, sandbox environments, browser automation pipelines, computer-use agents.
What is the CVSS score for GHSA-92jp-89mq-4374?
No CVSS score has been assigned yet.
What is the AI security impact?
Affected AI Architectures
MITRE ATLAS Techniques
AML.T0049 Exploit Public-Facing Application AML.T0053 AI Agent Tool Invocation AML.T0055 Unsecured Credentials AML.T0106 Exploitation for Credential Access Compliance Controls Affected
What are the technical details?
Original Advisory
## Summary Sandbox noVNC helper route exposed interactive browser session credentials. ## Affected Packages / Versions - Package: `openclaw` - Ecosystem: npm - Affected versions: `>= 2026.2.21 < 2026.4.10` - Patched versions: `>= 2026.4.10` ## Impact The sandbox noVNC helper route could be reached without the intended bridge authentication, exposing an interactive browser session surface. ## Technical Details The fix gates the sandbox noVNC helper route behind bridge authentication. ## Fix The issue was fixed in #63882. The first stable tag containing the fix is `v2026.4.10`, and `openclaw@2026.4.14` includes the fix. ## Fix Commit(s) - `8dfbf3268bd224b7377d1ecca77a445100746085` - PR: #63882 ## Release Process Note Users should upgrade to `openclaw` 2026.4.10 or newer. The latest npm release, `2026.4.14`, already includes the fix. ## Credits Thanks to @zsxsoft, with sponsorship from @KeenSecurityLab and @qclawer for reporting this issue.
Exploitation Scenario
An adversary scans internet-exposed hosts for openclaw's default noVNC helper route using a port scanner or search engine query for known endpoint paths. Upon reaching the endpoint without any authentication prompt, they gain a live interactive view of the AI agent's browser session — including web applications currently open, credentials being entered, API keys visible in developer tools, and internal dashboards the agent is navigating. In an agentic context where openclaw manages autonomous browsing tasks, the adversary can inject mouse and keyboard input to redirect agent actions toward attacker-controlled objectives. Given the established openclaw skill abuse pattern documented in AIID #1368, a threat actor could chain this browser session access with existing knowledge of openclaw's ecosystem to automate credential harvesting from multiple exposed deployments.
Weaknesses (CWE)
CWE-306 — Missing Authentication for Critical Function: The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
- [Architecture and Design] Divide the software into anonymous, normal, privileged, and administrative areas. Identify which of these areas require a proven user identity, and use a centralized authentication capability. Identify all potential communication channels, or other means of interaction with the software, to ensure that all channels are appropriately protected, including those channels that are assumed to be accessible only by authorized parties. Developers sometimes perform authentication at the primary channel, but open up a secondary channel that is assumed to be private. For example, a login mechanism may be listening on one network port, but after successful authentication, it may open up a second port where it waits for the connection, but avoids authentication because it assumes that only the authenticated party will connect to the port. In general, if the software or protocol allows a single session or user state to persist across multiple connections or channels, authentication and appropriate
- [Architecture and Design] For any security checks that are performed on the client side, ensure that these checks are duplicated on the server side, in order to avoid CWE-602. Attackers can bypass the client-side checks by modifying values after the checks have been performed, or by changing the client to remove the client-side checks entirely. Then, these modified values would be submitted to the server.
Source: MITRE CWE corpus.
References
Timeline
Related Vulnerabilities
CVE-2026-33579 9.9 OpenClaw: scope bypass escalates low-priv to admin
Same package: openclaw CVE-2026-32922 9.9 OpenClaw: privilege escalation to RCE via token scope bypass
Same package: openclaw CVE-2026-32038 9.8 Analysis pending
Same package: openclaw CVE-2026-30741 9.8 OpenClaw: RCE via request-side prompt injection
Same package: openclaw CVE-2026-53838 9.8 OpenClaw: approval scope bypass via reconnection state
Same package: openclaw