News

OpenClaw Security Crisis 2026: What Happened and Lessons Learned

February 23, 20265 min readReviewed March 8, 2026

Critical Security Analysis: This article examines the security vulnerabilities that affected OpenClaw in early 2026, how they were discovered, and what the community learned from the incident.

40,000+

Exposed Instances

512

Vulnerabilities Found

8.8

CVSS Score (Critical)

341

Malicious Skills

The Crisis Begins: January 2026

In late January 2026, as OpenClaw was experiencing explosive growth—reaching over 200,000 GitHub stars in record time—security researchers began sounding alarms. What emerged was one of the most significant security crises in the open-source AI community.

CVE-2026-25253: The One-Click RCE

The most critical vulnerability, CVE-2026-25253, was discovered by security researcher Henrique Branquinho in approximately 1 hour 40 minutes of analysis[1].

CVSS 8.8 (Critical)
Attackers could execute arbitrary code by tricking victims into visiting a malicious webpage—even when OpenClaw was bound to localhost only.

The attack vector worked through malicious URLs containing a gatewayUrl parameter that could steal authentication tokens via WebSocket connections. This meant:

Users visiting malicious websites could trigger the attack
Even localhost-only bindings were vulnerable
Attackers gained remote code execution capabilities

Affected versions: ≤ v2026.1.28
Fixed in: v2026.1.29

Kaspersky's Devastating Audit

Around the same time, Kaspersky Lab released a security audit that painted a grim picture[2]:

512 total vulnerabilities discovered across the codebase
8 rated as critical or severe
Tens of thousands of unauthenticated OpenClaw instances exposed via Shodan

The exposed data included:

API keys for Claude, OpenAI, and other providers
Message platform bot tokens
Slack credentials and workspace access
Complete chat histories

Bitsight Analysis: 30,000+ Exposed Gateways

Security firm Bitsight conducted an analysis that found 30,000+ OpenClaw instances publicly exposed on the internet[3]. Perhaps most alarming: many had no authentication whatsoever.

Geographic Distribution:
China ranked #2 with 2,990 exposed instances as of January 29, 2026. The United States had the highest number of exposed instances.

The ClawHavoc Attack Campaign

Security researchers at Koi Security discovered "ClawHavoc"—an attack campaign targeting OpenClaw users through the ClawHub skill marketplace[4]:

~341 out of 2,857 skills (12%) confirmed as malicious
Malicious skills deployed keyloggers and Atomic Stealer malware
Snyk found 283 skills (7.1%) leaking sensitive credentials in plaintext

Other Critical Vulnerabilities

Beyond CVE-2026-25253, multiple other security issues were identified:

CVE/Vulnerability	Type
`CVE-2026-25157`	Remote command execution
`CVE-2026-24763`	Command injection
Gateway Auth Bypass	Active from initial release until Jan 29, 2026
SSRF Vulnerabilities	IPv6, NAT64 affected
Discord Privilege Escalation	Permission bypass
Webhook Path Traversal	File system access
Windows Daemon Command Injection	Windows-specific RCE

The Community Response

The OpenClaw community and project maintainers responded rapidly:

Patches released within 72 hours of critical vulnerability disclosure
SHA-1 replaced with SHA-256 for hashing
Docker sandbox hardening implemented
VNC password authentication added
Owner-ID obfuscation with independent HMAC keys

Lessons Learned

1. Default Security Matters

Many users deployed OpenClaw without enabling authentication, assuming localhost binding was sufficient. The security crisis demonstrated that defense in depth is essential—even for local-only services.

2. Supply Chain Security is Critical

The ClawHavoc campaign showed that malicious third-party skills pose a significant threat. Users must be cautious about installing unverified code.

3. Rapid Response Saves Lives

The OpenClaw team's ability to patch vulnerabilities within 72 hours likely prevented many more incidents. However, the initial lack of security-by-design allowed these vulnerabilities to exist in the first place.

4. Transparency Builds Trust

Despite the severity of the vulnerabilities, the project's openness about issues and rapid fixes helped maintain community trust.

How to Protect Your OpenClaw Instance

Based on the lessons from this crisis, here are essential security practices:

Always update to the latest version immediately
Enable authentication—never expose gateways without it
Use allowlists to restrict who can interact with your agent
Review skills carefully before installing from ClawHub
Avoid running as root/administrator
Use Docker isolation when possible
Monitor for unusual activity in logs

Looking Forward

The 2026 security crisis was a wake-up call for the OpenClaw project and the broader AI agent community. As these tools become more powerful and handle more sensitive data, security must evolve from an afterthought to a foundational requirement.

The OpenClaw team has committed to continuing security improvements, but users must also remain vigilant. The balance between convenience and security will remain an ongoing conversation as personal AI agents become mainstream.

Sources

51CTO Blog - "OpenClaw Vulnerability Allows One-Click Remote Code Execution via Malicious Link" - February 2026
Kaspersky Security Blog - "40,000+ Exposed OpenClaw Instances" - February 2026
Bitsight Security Analysis - OpenClaw Exposure Report (archived)
Koi Security Research - ClawHavoc Attack Campaign Analysis
CSDN Blog - "OpenClaw RCE: Local Agent Security Challenges" - February 2026
21CTO - "OpenClaw Leaking Massive Personal Information" - February 2026

Secure Your OpenClaw Instance

Learn security best practices and harden your installation against known threats.

Security Audit Guide