OpenClaw’s security track record has gone from bad to catastrophic. According to the OpenClaw CVE Tracker, the popular open-source AI agent now has 156 total security advisories with 28 published CVEs—including 4 critical and 52 high-severity vulnerabilities. Another 128 issues are still awaiting CVE assignment.
Since we last covered OpenClaw’s security crisis on March 19, a fresh batch of high-severity CVEs has been disclosed, revealing sandbox escapes, authentication bypasses, and path traversal attacks that continue to undermine the agent’s security model.
The Latest Wave: March 19-21 Disclosures
The past week brought multiple new HIGH-severity vulnerabilities:
CVE-2026-32064: VNC Without Authentication (CVSS 8.5)
OpenClaw’s sandbox browser launches x11vnc without authentication for noVNC observer sessions. Anyone on the host loopback interface can connect to the VNC port and observe—or interact with—sandbox browser sessions without credentials.
Affected versions: prior to 2026.2.21
CVE-2026-32056: Sandbox Escape via Environment Variables (CVSS 7.5)
The system.run function fails to sanitize HOME and ZDOTDIR environment variables. Attackers can inject malicious shell startup files (like .bash_profile or .zshenv) to execute arbitrary code before allowlist-evaluated commands run—effectively bypassing the entire command allowlist.
Affected versions: prior to 2026.2.22
CVE-2026-32013: Symlink Traversal (CVSS 8.7)
The agents.files.get and agents.files.set methods allow reading and writing files outside the agent workspace via symlink traversal. Attackers can access arbitrary host files within the gateway process permissions, potentially enabling code execution through file overwrite attacks.
Affected versions: prior to 2026.2.25
CVE-2026-22172: WebSocket Scope Elevation (CVSS 9.4 - CRITICAL)
A critical scope elevation flaw in WebSocket shared-auth connections allows attackers to gain elevated privileges. This is one of four critical-severity vulnerabilities now tracked for OpenClaw.
The Full Picture
The CVE tracker paints a grim picture:
| Severity | Count |
|---|---|
| Critical | 4 |
| High | 52 |
| Medium | 88 |
| Low | 12 |
| Total Published | 28 |
| Awaiting CVE | 128 |
The critical vulnerabilities include:
- CVE-2026-28363 (CVSS 9.9):
tools.exec.safeBinsvalidation bypass viasortcommand - CVE-2026-22172 (CVSS 9.4): WebSocket shared-auth scope elevation
- CVE-2026-28474 (CVSS 9.3): Allowlist bypass via actor name spoofing
- CVE-2026-28446 (CVSS 9.2): Voice-call extension inbound allowlist bypass
- CVE-2026-28472 (CVSS 9.2): Device identity check bypass in gateway handshake
The Pattern
Every security layer OpenClaw implements seems to have a bypass. Allowlists get circumvented through environment variables, unsigned fields, or edge cases in command parsing. Authentication checks miss edge cases. Sandbox boundaries get crossed via symlinks or path traversal.
This isn’t one bad vulnerability—it’s a systemic architecture problem. The agent was built for functionality first, with security bolted on afterward. Now every security mechanism is being systematically dismantled by researchers.
What This Means
If you’re running OpenClaw in any capacity approaching production, you need to consider whether the constant update treadmill is sustainable. The project is releasing patches faster than most teams can deploy them, and 128 advisories are still awaiting CVE assignment.
The situation is particularly concerning for organizations that connected OpenClaw to sensitive systems like Slack, email, or cloud services. Each privilege escalation or sandbox escape vulnerability represents potential access to connected systems.
What You Can Do
Immediately:
- Update to version 2026.3.2 or later (the most recent fixes)
- Audit which services OpenClaw has access to
- Check if your instance is internet-accessible (it shouldn’t be)
- Review the CVE tracker for vulnerabilities affecting your version
Longer term:
- Consider whether OpenClaw belongs in your threat model
- Run agents in isolated environments with minimal permissions
- Monitor for unusual activity from agent processes
- Implement network segmentation around agent deployments
For security teams:
- The CVE tracker repository provides machine-readable data for vulnerability management
- Treat OpenClaw instances as high-risk assets requiring enhanced monitoring
The OpenClaw project continues patching vulnerabilities as they’re reported. But with 128 advisories still awaiting CVE assignment and new flaws being discovered weekly, the attack surface isn’t shrinking—it’s being mapped.