In late 2025, a self-hosted AI agent called OpenClaw — formerly known as Clawdbot, then briefly Moltbot — exploded onto the developer scene. It shot past 20,000 GitHub stars in a single day and eventually surpassed 300,000 stars, reportedly causing shortages of Mac mini hardware in several U.S. markets. The tool’s appeal was immediate: a persistent, fully autonomous AI that could manage your email, execute shell commands, browse the web, and interface through WhatsApp, Telegram, Slack, and iMessage.

That same autonomous reach has made OpenClaw the subject of one of the most consequential security crises in open-source AI history. Since January 2026, researchers have disclosed hundreds of vulnerabilities — command injection, privilege escalation, WebSocket hijacking, and an active supply-chain attack on its plugin marketplace. The CVE assignment system has struggled to keep pace.

135,000+ Instances exposed on the public internet, across 82 countries
8.8 CVSS score of CVE-2026-25253 — the primary RCE flaw, exploitable in one click
255+ Security advisories published to OpenClaw’s GitHub GHSA page as of mid-March
820+ Malicious “skills” (plugins) identified in the ClawHub marketplace
Background

What Is OpenClaw?

OpenClaw is an open-source, self-hosted personal AI agent created by developer Peter Steinberger. Unlike conventional AI chatbots that respond to questions, OpenClaw acts autonomously: it reads and sends emails, manages calendars, runs terminal commands, browses the web, and connects to messaging platforms all on your behalf, triggered by a casual message from your phone.

It stores persistent memory, retaining context, preferences, and history across sessions. Users routinely grant it full disk access, terminal permissions, and OAuth tokens to third-party services to make it functional. The project’s own maintainers acknowledge this risk: one noted in the project’s Discord that “if you can’t understand how to run a command line, this is far too dangerous of a project for you to use safely.”

On February 14, 2026, Steinberger announced he was joining OpenAI to lead personal agent development, with the OpenClaw project transitioning to an independent, OpenAI-sponsored foundation. The tool retained its massive user base but also inherited an accumulating security debt.

The Catalyst

CVE-2026-25253: The One-Click RCE That Started It All

The security crisis crystallized on February 3, 2026, when SecurityWeek published the first public disclosure of a critical flaw that had been discovered weeks earlier by researcher Henrique Branquinho in approximately 90 minutes of analysis. The vulnerability — assigned CVE-2026-25253 with a CVSS score of 8.8 — allowed a remote attacker to fully compromise any victim’s machine with a single mouse click.

Critical — CVE-2026-25253 (CVSS 8.8)

OpenClaw’s Control UI blindly trusted a gatewayUrl query parameter, automatically initiating a WebSocket connection to any URL it received — including attacker-controlled servers. Visiting a single crafted link caused the victim’s browser to transmit their stored authentication token to the attacker. Full command execution followed within milliseconds. This worked even against localhost-bound instances, because browsers do not apply cross-origin restrictions to WebSocket connections the way they do to standard HTTP requests.

By the time of public disclosure, security firm Censys had identified over 21,000 publicly exposed instances, growing from roughly 1,000 just a week earlier. SecurityScorecard’s STRIKE team ultimately documented over 135,000 exposed instances across 82 countries, with more than 15,000 directly vulnerable to remote code execution. Independent researcher Maor Dayan identified 42,665 exposed instances, finding that 93.4% exhibited authentication bypass conditions.

“Security researchers confirmed the attack chain takes milliseconds after a victim visits a single malicious webpage.”
Oasis Security, February 2026

A patch was included in version 2026.1.29, released on January 30 — just before public disclosure. However, because OpenClaw has no automatic update mechanism, users running older self-hosted installations remained vulnerable until they manually applied the patch. A subsequent audit by Cisco’s security team classified OpenClaw as a “security nightmare,” finding nine distinct vulnerability categories with two rated critical.

Key Vulnerabilities

Verified CVEs: A Cascading Wave of Disclosures

CVE-2026-25253 was not an isolated incident. It triggered a continuous stream of security advisories that has yet to fully stop. The following table covers verified, publicly disclosed CVEs sourced from the National Vulnerability Database (NVD), GitHub Security Advisories (GHSA), and VulnCheck:

CVE ID Severity Description Fixed In
CVE-2026-25253 CVSS 8.8 One-click auth token theft via unvalidated gatewayUrl WebSocket hijacking. Full RCE possible even against localhost-bound instances. 2026.1.29
CVE-2026-22172 CVSS 9.9 WebSocket clients can self-declare admin scopes, bypassing authentication entirely and gaining gateway control. 2026.3.12
CVE-2026-22176 CVSS 7.8 Windows command injection via unescaped environment variables in scheduled task .cmd scripts. Characters like &, |, and ^ execute as separate commands. 2026.2.19
CVE-2026-22179 High macOS RCE via command substitution syntax ($(...) or backticks) embedded in double-quoted strings, bypassing the command allowlist. 2026.3.12
CVE-2026-32051 High Authenticated callers with operator.write scope can invoke owner-only control-plane surfaces (gateway, cron) through agent runs. 2026.3.1
CVE-2026-32056 High Shell startup environment variables (HOME, ZDOTDIR) not sanitized in system.run, enabling RCE via injected startup files such as .bash_profile. 2026.2.22
CVE-2026-32064 CVSS 7.7 Sandbox browser entrypoint launches x11vnc without authentication, allowing unauthenticated access to the VNC interface from the loopback interface. 2026.2.21
CVE-2026-32049 High Inbound media byte limits not consistently enforced across ingestion paths, enabling denial-of-service via oversized payloads. 2026.2.22
CVE-2026-32065 CVSS 5.7 Approval bypass in system.run command path: a token with a trailing space passes the approval UI but resolves to a different executable at runtime. 2026.2.25
CVE-2026-32018 CVSS 6.6 Race condition in concurrent sandbox registry operations causes data loss, entry resurrection, or state corruption. 2026.2.19
Note on the Original Article’s Vulnerability IDs

The Chinese-language article under review cited vulnerabilities using “XVE” identifiers (e.g., XVE-2026-2113). These are not standard identifiers. Real OpenClaw vulnerabilities use CVE numbers assigned by the NVD and GHSA IDs from GitHub. “XVE” appears to be a proprietary internal tracking scheme used by the Chinese security firm ThreatBook (微步在线) and cannot be independently verified through public databases. The underlying vulnerability categories described (WebSocket privilege escalation, RCE via API proxy) are real, but the specific IDs are not publicly traceable.

Systemic Impact

The CVE System Is Struggling to Keep Up

OpenClaw’s GitHub security advisory page lists over 255 published advisories as of mid-March 2026. The scale overwhelmed the standard vulnerability assignment pipeline: VulnCheck formally asked the CVE Project’s researcher working group to reserve blocks of CVE IDs for OpenClaw advisories that were accumulating faster than numbers could be assigned. This has created a real gap where some patched vulnerabilities lack formal CVE designations, making it harder for security teams and scanning tools to track exposure.

A community-maintained tracker on GitHub (jgamblin/OpenClawCVEs) has stepped in to provide hourly-updated coverage, pulling from both the NVD CVE list and GitHub’s advisory database. As of late March 2026, it tracks 31 GHSAs with assigned CVE IDs, all fully published, plus hundreds of additional advisories pending CVE assignment.

Supply-Chain Attack

ClawHavoc: The Marketplace Poisoning Campaign

Running parallel to the infrastructure vulnerabilities was a coordinated supply-chain attack on ClawHub, OpenClaw’s plugin marketplace. Researchers at Koi Security identified the campaign — dubbed ClawHavoc — beginning in early February.

At its peak, over 820 malicious skills (approximately 20% of the ClawHub registry) had been identified, up from 341 initially. The attack was elegantly engineered: malicious skills used professional documentation, high star counts, and innocuous names like “solana-wallet-tracker” to appear legitimate. Once installed, they silently deployed keyloggers on Windows machines or the Atomic Stealer (AMOS) malware on macOS.

Separately, Snyk found that 283 skills (7.1% of the registry) leaked sensitive credentials — API keys, OAuth tokens, and passwords — in plaintext within their code. On February 7, OpenClaw partnered with VirusTotal to audit ClawHub and remove confirmed malicious skills. Cisco’s security team published documented evidence of live exploitation via a malicious skill in February.

Enterprise Exposure

Bitdefender GravityZone telemetry confirmed OpenClaw deployments on corporate endpoints across multiple organizations — representing what security researchers are calling a new form of “Shadow AI” with elevated system privileges. A compromised instance with corporate integrations can pivot into Gmail, Slack, SSH infrastructure, and cloud service APIs from a single exploit.

Chronology

Timeline of the Crisis

Late November 2025
OpenClaw launches publicly (as Clawdbot)
The tool explodes in popularity, crossing 20,000 GitHub stars in one day. A Kaspersky security audit identifies 512 vulnerabilities, 8 critical. The project is rebranded to Moltbot, then OpenClaw after trademark disputes.
January 30, 2026
CVE-2026-25253 patched (v2026.1.29) — before public disclosure
Three high-impact security advisories are released simultaneously, covering the RCE chain and two command injection flaws. Self-hosted users without auto-update remain exposed.
February 3, 2026
CVE-2026-25253 publicly disclosed by SecurityWeek
Censys finds 21,000+ publicly exposed instances. SecurityScorecard later documents 135,000+ across 82 countries. Mass exploitation risk becomes front-page security news.
Early–Mid February 2026
ClawHavoc supply-chain campaign identified; v2026.2.12 major patch
Koi Security discovers 341+ malicious skills. OpenClaw partners with VirusTotal. Version 2026.2.12 patches 40+ vulnerabilities including mandatory browser authentication and SSRF deny policies.
February 14, 2026
Creator joins OpenAI; project moves to independent foundation
Steinberger announces he is joining OpenAI to lead personal agent development. Security patching continues under the foundation’s stewardship.
February 18, 2026
Endor Labs publishes six additional CVEs
Ratings range from moderate to high severity. Oasis Security discloses the “ClawJacked” brute-force token flaw; OpenClaw patches it within 24 hours in v2026.2.25.
March 1 – March 28, 2026
Ongoing advisories; CVE-2026-22172 (CVSS 9.9) disclosed
CVE-2026-22172 — one of the highest CVSS scores assigned to any OpenClaw flaw — allows WebSocket clients to self-declare admin scopes without server-side authentication. Fixed in v2026.3.12, the current recommended minimum version.
Root Causes

Why OpenClaw Is Structurally Vulnerable

Security researchers have identified several architectural patterns that make OpenClaw persistently susceptible, beyond any individual bug:

No Automatic Updates

Self-hosted OpenClaw has no auto-update mechanism. Every security patch requires a user to notice the advisory, decide to act, and execute the update correctly. Most self-hosted installs run weeks or months behind the current release.

Multiple Execution Surfaces Across Platforms

OpenClaw runs on macOS, Windows, and Linux, with components in Swift, Node.js, and shell scripting. Platform-specific CVEs — like CVE-2026-22176 (Windows only) and CVE-2026-22179 (macOS only) — risk never being applied by users on the unaffected platform who assume a given patch “doesn’t apply to them.”

The Localhost Misconception

Many users assumed binding OpenClaw to the loopback interface (127.0.0.1) provided adequate protection. As CVE-2026-25253 demonstrated, this is false. The exploit routes through the victim’s browser, which has no such cross-origin restriction for WebSocket connections. Any page a user visits can silently connect to a localhost OpenClaw instance.

An Open Plugin Marketplace

ClawHub launched with minimal vetting. The ClawHavoc campaign exploited this directly, with professional-looking malicious skills accumulating stars and positive reviews before being identified. The marketplace’s open model is a structural supply-chain risk.

What To Do

Security Recommendations for OpenClaw Users

  • 01 Update to v2026.3.12 or later immediately. This is the minimum safe version as of late March 2026. Earlier versions contain CVE-2026-22172 (CVSS 9.9) and CVE-2026-22179. Run openclaw update or download from the official GitHub repository.
  • 02 Rotate all credentials if you ran a vulnerable version. Check logs for unexpected system.run calls. Treat all API keys, OAuth tokens, and passwords that OpenClaw had access to as potentially compromised. Regenerate any .cmd batch files created before v2026.2.19 on Windows.
  • 03 Enable authentication. Many exposed instances run with no authentication whatsoever — a default that is now documented as a major risk factor. The loopback binding is not a substitute for gateway authentication.
  • 04 Audit your installed Skills. Remove any unrecognized or recently installed plugins from ClawHub. Cross-reference against VirusTotal and the Koi Security ClawHavoc indicators. More than 820 malicious skills have been confirmed; the number may be higher.
  • 05 Never browse untrusted sites while the OpenClaw Control UI is open. Use a separate browser profile for the Control UI entirely. This is the primary attack vector for CVE-2026-25253 and similar WebSocket hijacking flaws.
  • 06 Apply network isolation. Block public internet access to OpenClaw’s default port (18789) using a firewall. Instances should not be internet-facing unless absolutely required, and if they are, place them behind a hardened reverse proxy with strict Origin validation.
  • 07 Apply the principle of least privilege. Limit Docker container permissions. Avoid granting full “god mode” shell access unless necessary. Restrict which identities hold operator.write scope.
  • 08 Run openclaw doctor after updating. This checks for configuration issues, including warnings about approval settings or sandboxing that may have been disabled during a prior compromise.
Current Minimum Safe Version

As of March 28, 2026, the minimum recommended version is v2026.3.12. This release closes CVE-2026-22172 (admin scope self-declaration, CVSS 9.9) and CVE-2026-22179 (macOS RCE via command substitution), in addition to all previously patched vulnerabilities.

Analysis

The Broader Lesson for AI Agent Security

OpenClaw’s vulnerability cascade is not the result of uniquely bad engineering. It is a foreseeable consequence of a category of software that combines maximum capability — full disk access, terminal execution, third-party service integration — with the deployment model of a casual developer tool and a plugin ecosystem with minimal gatekeeping.

Security researchers have described this combination as the “lethal trifecta”: access to private data, exposure to untrusted content, and the ability to communicate externally. Each element is acceptable in isolation. Combined in a single process that runs with elevated privileges and no automatic updates, they create an attack surface of unusual severity.

The 2026 CVE wave is likely a preview of challenges to come as autonomous AI agents proliferate. The open-source AI community, the CVE assignment system, and enterprise security teams are all, in different ways, not yet equipped to handle vulnerability disclosure at this velocity and this scale. OpenClaw’s crisis has forced a conversation that needed to happen — and the lessons it offers apply far beyond this one project.