CVE-2026-43575: OpenClaw Critical Auth Bypass Exposes Browser Sessions
The National Vulnerability Database has disclosed CVE-2026-43575, a critical authentication bypass vulnerability impacting OpenClaw versions 2026.2.21 before 2026.4.10. This flaw, rated 9.8 CVSS (CRITICAL), resides in the sandbox noVNC helper route.
Attackers can exploit this vulnerability to gain unauthorized access to interactive browser sessions. The bypass allows direct access to the noVNC helper route without requiring bridge authentication, effectively exposing credentials and potentially sensitive session data. This is not a theoretical risk; it’s a direct path to session hijacking.
For defenders, this is a severe blind spot. An unauthenticated attacker can walk right into active sessions, which means immediate compromise of user context and access. Organizations utilizing OpenClaw must prioritize patching or mitigating this vulnerability to prevent critical data exposure and unauthorized system access.
What This Means For You
- If your organization uses OpenClaw, you need to identify all instances running versions 2026.2.21 prior to 2026.4.10. This is a critical authentication bypass, meaning an attacker can get straight into your interactive browser sessions. Patch immediately to version 2026.4.10 or later, and audit logs for any unusual access to noVNC helper routes.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-43575: OpenClaw Auth Bypass via noVNC Helper Route
title: CVE-2026-43575: OpenClaw Auth Bypass via noVNC Helper Route
id: scw-2026-05-06-ai-1
status: experimental
level: critical
description: |
Detects access to the OpenClaw noVNC helper route without proper authentication, which is the core of CVE-2026-43575. This bypass allows attackers to gain unauthorized access to interactive browser sessions.
author: SCW Feed Engine (AI-generated)
date: 2026-05-06
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-43575/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/novnc/helper'
cs-method:
- 'GET'
sc-status:
- 200
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-43575 | Auth Bypass | OpenClaw versions before 2026.4.10 |
| CVE-2026-43575 | Auth Bypass | OpenClaw versions 2026.2.21 |
| CVE-2026-43575 | Auth Bypass | sandbox noVNC helper route |
| CVE-2026-43575 | Information Disclosure | interactive browser session credentials |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 06, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-41484 — OpenTelemetry.Exporter.OneCollector is a .NET exporter that
CVE-2026-41484 — OpenTelemetry.Exporter.OneCollector is a .NET exporter that sends telemetry to a OneCollector back-end over HTTP. In versions 1.15.0 and earlier, when a request to...
CVE-2026-41483 — OpenTelemetry.Resources.Azure is the .NET resource detector
CVE-2026-41483 — OpenTelemetry.Resources.Azure is the .NET resource detector for Azure environments. In versions 1.15.0-beta.1 and earlier, the AzureVmMetaDataRequestor class makes HTTP requests to the Azure...
CVE-2026-41417 — Netty allows request-line validation to be bypassed when a
CVE-2026-41417 — Netty allows request-line validation to be bypassed when a `DefaultHttpRequest` or `DefaultFullHttpRequest` is created first and its URI is later changed via `setUri()`....