OpenClaw: GitHub’s Fastest-Ever Rising Star Becomes 2026’s First Major AI Security Disaster
OpenClaw: GitHub’s Fastest-Ever Rising Star Becomes 2026’s First Major AI Security Disaster
- Why Enterprise RAID Rebuilding Succeeds Where Consumer Arrays Fail?
- Linus Torvalds Rejects MMC Subsystem Updates for Linux 7.0: “Complete Garbage”
- The Man Who Maintained Sudo for 30 Years Now Struggles to Fund the Work That Powers Millions of Servers
- How Close Are Quantum Computers to Breaking RSA-2048?
- Why Windows 10 Users Are Flocking to Zorin OS 18 Instead of Linux Mint?
- How to Prevent Ransomware Infection Risks?
- What is the best alternative to Microsoft Office?
OpenClaw: GitHub’s Fastest-Ever Rising Star Becomes 2026’s First Major AI Security Disaster
From 20,000 GitHub stars in a single day to 135,000+ publicly exposed instances, a viral open-source AI agent has triggered a cascading, multi-vector security crisis — with real victims already emerging.
If you are running any version of OpenClaw prior to v2026.2.25, you are vulnerable to the ClawJacked remote takeover flaw. Patch immediately by running:
At minimum, bind your instance to localhost only:
# Fix: change binding to 127.0.0.1:18789 in your config
- Open-source autonomous AI agent, formerly called Clawdbot, then Moltbot
- Connects to messaging apps: WhatsApp, Telegram, Slack, Discord
- Runs 24/7 with full system-level access — files, browser, terminal, OAuth tokens
- Designed for Apple hardware (macOS primary), but cross-platform
- Default control interface: port 18789, binds to all interfaces (0.0.0.0) out of the box
- Triggered a Mac mini shortage in several U.S. stores in January 2026
In late January 2026, the technology world was briefly swept up in infectious excitement. An open-source project then called Clawdbot — a persistent, always-on AI agent that could take commands via WhatsApp, automate your server, write its own code, and act on your behalf across every app you connected to it — accumulated over 20,000 GitHub stars in a single 24-hour period. Within weeks, it had surpassed 100,000 stars, outpacing the adoption trajectory of React, Vue, and nearly every other repository in GitHub’s history.
Anthropic, unhappy with the name’s similarity to their Claude branding, prompted a rebrand to “Moltbot,” and then days later to the current “OpenClaw.” The lobster icon became a viral symbol of an exciting new era of autonomous AI. Then the security researchers arrived.
What followed has been described by Cisco as a “security nightmare” — a cascading, multi-vector crisis involving a critical remote code execution vulnerability, a large-scale supply-chain poisoning campaign in its plugin marketplace, and deep architectural weaknesses that make every instance a potential springboard for attackers.
The fundamental problem is not subtle. OpenClaw grants itself full disk access, terminal permissions, browser control, and OAuth tokens for every service you integrate — by design, because that is precisely what makes it useful. But it binds its control interface to 0.0.0.0:18789 by default, meaning it listens on every network interface, including the public internet. For a tool with administrator-level power over your system, the correct default would be 127.0.0.1 (localhost only). It is not.
“If you can’t understand how to run a command line, this is far too dangerous of a project for you to use safely.”— OpenClaw maintainer, in the project’s official Discord server
A researcher using the handle @fmdz387 was among the first to quantify the damage, running a Shodan scan in late January to discover nearly 1,000 OpenClaw instances sitting open on the public internet with zero authentication. Researcher Jamieson O’Reilly went further, gaining access to Anthropic API keys, Telegram bot tokens, Slack accounts, complete months of private chat histories, and — most critically — the ability to execute arbitrary commands with full system administrator privileges on victim machines.
By January 31, Censys had tracked growth from approximately 1,000 to over 21,600 publicly exposed instances — a 21x increase in one week. Bitsight independently observed over 30,000 instances during a January 27–February 8 analysis window, with a honeypot they stood up on port 18789 immediately attracting scanner traffic. An independent study by security researcher Maor Dayan identified 42,665 exposed instances, of which 5,194 were actively verified as vulnerable, with 93.4% of those exhibiting authentication bypass conditions.
Then SecurityScorecard’s STRIKE team published internet-wide scan data in early February. The number: over 135,000 exposed OpenClaw instances across 82 countries. More than 50,000 of those are vulnerable to remote code execution as of this writing. The majority run on cloud infrastructure — DigitalOcean, Alibaba Cloud, and Tencent are the most common hosts — meaning many are organizational deployments, not hobbyist home setups.
Timeline of the Crisis
Clawdbot goes viral. Over 20,000 GitHub stars in 24 hours. Mac mini shortage reported in several U.S. stores as users rush to set up always-on home servers.
Anthropic prompts rebrand: Clawdbot → Moltbot → OpenClaw. Kaspersky security audit identifies 512 vulnerabilities, 8 classified as critical. Researcher @fmdz387 finds ~1,000 unauthenticated instances online. Researcher Jamieson O’Reilly achieves full RCE and credential theft on exposed instances.
OpenClaw patches CVE-2026-25253 (CVSS 8.8) in version v2026.1.29. Three high-severity security advisories issued simultaneously, including two additional command injection vulnerabilities.
Censys reports 21,639 exposed instances — a 21x increase in one week. ClawHavoc supply-chain campaign discovered: 341 malicious skills found on ClawHub marketplace, primarily delivering Atomic macOS Stealer (AMOS) malware.
SecurityScorecard STRIKE team identifies 135,000+ exposed instances across 82 countries. 12,000–15,000 instances vulnerable to RCE. Malicious ClawHub skills count climbs to 820+ (~20% of the entire registry). Bitsight observes 30,000+ exposed instances independently.
Endor Labs discloses six additional vulnerabilities including CVE-2026-26322 (SSRF, CVSS 7.6) and CVE-2026-26319 (webhook auth bypass, CVSS 7.5).
ClawJacked vulnerability disclosed. OpenClaw patches in v2026.2.25. As of this writing, 50,000+ instances remain unpatched and vulnerable to RCE. Total exposed instance count still growing.
Crisis ongoing. CISA has referenced OpenClaw in vulnerability communications. Researchers confirm malicious ClawHub skills remain discoverable under variant package names. VirusTotal partnership has blocked some known malicious skills from download.
Key Vulnerabilities at a Glance
| CVE / ID | Type | Severity | Patched In |
|---|---|---|---|
| CVE-2026-25253 | Remote Code Execution (one-click RCE chain via gateway URL) | CVSS 8.8 | v2026.1.29 |
| ClawJacked | Remote takeover / authentication bypass | CVSS 8.8 | v2026.2.25 |
| CVE-2026-26322 | Server-Side Request Forgery (SSRF) — Gateway tool | CVSS 7.6 | v2026.2.12+ |
| CVE-2026-26319 | Missing Telnyx webhook authentication | CVSS 7.5 | v2026.2.12+ |
| CVE-2026-26329 | Path traversal in browser file upload | High | v2026.2.12+ |
| CVE-2026-27001 | Prompt injection via workspace path | High | v2026.2.23 |
What Users Must Do Now
- Update immediately to v2026.2.25 or later. Run
openclaw update - Bind to localhost only. Change your config so OpenClaw listens on 127.0.0.1:18789, not 0.0.0.0:18789
- Audit ClawHub skills. Remove any skill not from a verified, trusted source. Over 820 malicious skills have been confirmed
- Do not run on your primary machine. Use a dedicated spare computer or isolated VPS
- Enable authentication. Use Tailscale Serve or enforce password-based auth with short-lived pairing codes — never static tokens in URLs
- Rotate all credentials. If your instance was ever exposed, assume your API keys, OAuth tokens, and chat history are compromised
- Limit access aggressively. Apply an allowlist-only policy for open ports and isolate the device at the network level
Security expert Jeremy Turner of SecurityScorecard summarized the risk plainly: “It’s like giving some random person access to your computer to help do tasks. If you supervise and verify, it’s a huge help. If you just walk away and tell them all future instructions will come via email or text message, they might follow instructions from anyone.”
The OpenClaw crisis is being watched closely as a bellwether event for autonomous AI agent security broadly. In the same two-week window, Claude Code had critical RCE vulnerabilities discovered through repository config files, over 8,000 MCP servers were found exposed on the public internet, and the Coalition for Secure AI published its first comprehensive threat model for agent deployments. The common thread — an AI agent given sweeping system privileges and connected to the internet without governance — is not unique to OpenClaw. It is the defining security challenge of the agentic AI era.
Live exposure tracking is available at declawed.io. Users with confirmed compromised instances should contact their cloud provider’s abuse team and consider filing a report with CISA.
