OpenClaw is a browser sandbox orchestrator used by AI agent teams and automated testing pipelines to programmatically drive a Chrome browser (via Chrome DevTools Protocol). On May 6, 2026, three critical CVEs were published simultaneously: all authentication bypasses on sandbox components, exposing browser session data, Feishu commands, and Chrome's DevTools Protocol beyond the intended perimeter.
If you run OpenClaw in production (notably for AI agent workloads scraping the web or executing tasks in a headful browser), patching is urgent — each CVE alone is enough to compromise the sandbox and access session data from the orchestrated browser.
The 3 CVEs at a glance
| CVE | Component | CVSS | Effect |
|---|---|---|---|
| CVE-2026-43575 | noVNC helper route | 9.8 | Unauthenticated access to interactive browser session credentials |
| CVE-2026-44109 | Feishu webhook + card-action | 9.8 | Signature bypass → arbitrary command dispatch |
| CVE-2026-43581 | CDP relay sandbox browser | 9.6 | Chrome DevTools Protocol exposed on 0.0.0.0 |
CVE-2026-43575 — noVNC Helper Auth Bypass
The bug
OpenClaw offers a noVNC viewer feature so an operator can visually see and interact with the sandboxed browser. This helper route is supposed to be protected by bridge authentication — a server-side validation mechanism ensuring only authorized users access the VNC stream.
The CVE reveals that the noVNC helper route fails to validate this authentication bridge correctly under certain conditions, exposing browser session credentials (cookies, tokens, current connection state to services) to any attacker with network access.
Consequence
An attacker can:
- View the sandboxed browser screen in real time
- Interact with it (clicks, keyboard input)
- Steal session credentials of sites visited by the sandbox (Gmail, GitHub, Slack…)
- Retrieve authenticated cookies of connected services
Characteristics
| Field | Value |
|---|---|
| CVSS 3.1 | 9.8 (CRITICAL) |
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-287 (Improper Authentication) |
| Patched version | 2026.4.10 |
CVE-2026-44109 — Feishu Webhook Auth Bypass
The bug
OpenClaw supports Feishu integration (ByteDance's collaboration platform) letting users trigger sandbox actions via Feishu webhooks or card-actions.
Request authentication relies on:
- A shared encryptKey
- A callback token used as signature
The CVE reveals a dangerous fail-open: when encryptKey is not configured or the callback token is blank, validation returns OK instead of rejecting the request. Concretely, anyone can send a forged Feishu payload and execute arbitrary commands on OpenClaw's command dispatcher.
Consequence
OpenClaw's command dispatcher typically allows:
- Browser control (navigate, click, fill, screenshot)
- JavaScript execution in the page
- Access to logs and sandbox state
An attacker can therefore fully control the sandboxed browser without any valid authentication.
Characteristics
| Field | Value |
|---|---|
| CVSS 3.1 | 9.8 (CRITICAL) |
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CWE | CWE-287 (Improper Authentication) + CWE-636 (Not Failing Securely) |
| Patched version | 2026.4.15 |
CVE-2026-43581 — Chrome DevTools Protocol exposed on 0.0.0.0
The bug
OpenClaw launches Chrome with Chrome DevTools Protocol (CDP) enabled for orchestration. CDP is normally bound to 127.0.0.1 (localhost only) to stay within the sandbox container's perimeter.
In affected versions, the CDP relay is bound to 0.0.0.0 — reachable from any IP that can reach the container. This includes:
- Other containers on the same Docker/Kubernetes network (lateral movement)
- The corporate network if the sandbox is exposed
- The internet if the sandbox has a public IP
Consequence
CDP lets an attacker:
- Issue arbitrary HTTP requests from the browser (SSRF)
- Read/write cookies, localStorage, IndexedDB
- Execute JavaScript on any open origin
- Capture screenshots and DOM content
This is equivalent to RCE in the sandboxed browser from the network.
Characteristics
| Field | Value |
|---|---|
| CVSS 3.1 | 9.6 (CRITICAL) |
| Vector | AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H (adjacent network) |
| CWE | CWE-1327 (Binding to Improper Network Interface) |
| Patched version | 2026.4.10 |
Affected Products and Versions
| CVE | Affected versions | Patched version |
|---|---|---|
| CVE-2026-43575 (noVNC) | < 2026.4.10 | 2026.4.10 |
| CVE-2026-44109 (Feishu) | < 2026.4.15 | 2026.4.15 |
| CVE-2026-43581 (CDP) | < 2026.4.10 | 2026.4.10 |
→ Upgrading to 2026.4.15 or higher fixes all three.
Combined Exploitation and Impact
Real impact depends on your OpenClaw deployment architecture:
Scenario 1 — OpenClaw exposed to the internet (sandbox SaaS)
Anyone on the internet can:
- View and interact with in-progress sandboxed browsers (CVE-2026-43575)
- Drive the browser via forged Feishu webhook (CVE-2026-44109)
- Manipulate the DOM via exposed CDP (CVE-2026-43581)
→ Mass credential theft, exfiltration of data processed by AI agents using the sandbox.
Scenario 2 — Internal OpenClaw (DevOps/automated testing)
An attacker already on the corporate network (post-phishing, for example) can reach OpenClaw via CDP exposed on 0.0.0.0 and pivot into the sandbox to reach the internal services (intranet, business apps) that the sandbox currently has access to.
Scenario 3 — AI agent orchestrating sensitive actions
If OpenClaw is used by an AI agent to perform authenticated actions (bank login, ERP, etc.), the attacker can hijack these sessions to perform fraudulent transactions in the name of the agent's account.
Detection and IOCs
OpenClaw logs
# Hunt noVNC access from external IPs
grep -E "novnc.*helper" /var/log/openclaw/access.log | \
grep -vE "^(127\.|10\.|172\.16\.|192\.168\.)"
# Feishu webhook without valid encryptKey/token
grep -E "feishu.*webhook" /var/log/openclaw/access.log | \
grep -iE "fail-open|no-auth|missing"
Network audit
# Check on which interfaces CDP is bound
netstat -tlnp | grep chrome
ss -tlnp | grep -i devtools
# Should be 127.0.0.1:9222, never 0.0.0.0:9222
Indicators of compromise
- Unexpected WebSocket connections on the CDP port (9222 by default) from non-whitelisted IPs
- Unsolicited CDP requests (
Page.navigate,Runtime.evaluate,Network.getAllCookies) - Browser sessions abnormally closed/relaunched
Mitigation and Patch
Immediate action: upgrade to 2026.4.15+
# Docker
docker pull openclaw/openclaw:2026.4.15
docker compose up -d
# Verify
docker inspect openclaw --format '{{.Config.Image}}'
Temporary workaround (if patching is delayed)
- Network: isolate OpenClaw behind a firewall or K8s network policy allowing only admin IPs
- CDP: force localhost binding via Chrome config override:
--remote-debugging-address=127.0.0.1 - Disable Feishu webhook if unused (OpenClaw config → set
feishu.enabled = false) - Disable noVNC if not needed in prod
Long-term hardening
- Always deploy OpenClaw on a strictly internal network, behind a VPN or mTLS
- Configure
encryptKeyand Feishucallback tokeneven if the integration isn't actively used (prevents fail-open) - Regular audit of container network interfaces (
docker network inspect) - Place a WAF/reverse proxy in front of the sandbox with mandatory auth on every route
Why Continuous Monitoring of Sandboxes and Orchestrators Matters
Browser sandboxes, AI agent orchestrators, and automated testing tools are an emerging and poorly monitored infrastructure category. Many run internally without a security inventory, despite handling highly sensitive authenticated credentials. A CVE like CVE-2026-44109 (auth bypass via fail-open) is typical of this category of relatively young tools — less mature on the security side.
With cveo.tech, inventory your sandboxes (OpenClaw, Browserless, Playwright Grid, Selenium Hub) and agent orchestrators (LangChain, AutoGen, CrewAI) and get automatic alerts when a critical CVE targets one of your exact versions — so you patch before your AI agents become an entry door into your business apps.