GHSA-25gx-x37c-7pph

The sandbox browser entrypoint launched `x11vnc` without authentication (`-nopw`) for noVNC observer sessions.

OpenClaw-managed runtime flow publishes the noVNC port to host loopback only (`127.0.0.1`), so default exposure is local to the host unless operators explicitly expose the port more broadly (or run the image standalone with broad port publishing).

## Affected Packages / Versions

- Package: `docker/openclaw` - Affected: `<= 2026.2.19-2` - Patched: `>= 2026.2.21`

## Technical details

- `scripts/sandbox-browser-entrypoint.sh` used `x11vnc ... -nopw` for noVNC observer flow. - `websockify` exposed noVNC for the container listener. - OpenClaw runtime (`src/agents/sandbox/browser.ts`) already mapped host publish to loopback, but observer auth was missing.

## Fix

- Require VNC password auth in the sandbox browser entrypoint (`x11vnc -rfbauth`), replacing `-nopw`. - Generate per-container noVNC password in runtime and inject `OPENCLAW_BROWSER_NOVNC_PASSWORD`. - Emit short-lived noVNC observer token URLs instead of sharing raw noVNC passwords in shared URLs. - Keep loopback-only host port publish and bump sandbox browser security hash epoch. - Add security audit findings for sandbox browser containers that publish ports on non-loopback interfaces.

Operational note: rebuild the sandbox browser image and recreate browser containers so existing containers pick up the fix.

## Fix Commit(s)

- `621d8e1312482f122f18c43c72c67211b141da01` - `8c1518f0f3e0533593cd2dec3a46c9b746753661`

## Release Process Note

Patched version is pre-set to the planned next release (`2026.2.21`). After npm release, this advisory can be published without further field edits.

OpenClaw thanks @TerminalsandCoffee for reporting.