privacy

9 CVEs in 4 Days: OpenClaw's Security Crisis Deepens

OpenClaw went from one CVE to nine in four days, with 12% of its marketplace confirmed malicious. Plus: ChatGPT's patched DNS exfiltration flaw.

Computer screen showing lines of code in a dark environment

When we first covered OpenClaw’s security problems in February, it was one critical CVE and 135,000 exposed instances. Six weeks later, the situation is significantly worse: nine CVEs disclosed in four days, including one scored 9.9, and 12% of its entire skill marketplace confirmed as malware.

Separately, Check Point Research disclosed a ChatGPT vulnerability that allowed silent data exfiltration through DNS tunneling — turning ordinary conversations into covert data-collection channels. OpenAI patched it in February, but the technique raises questions about what other AI platforms might be vulnerable to the same approach.

OpenClaw: Nine CVEs in Four Days

Between March 18 and March 21, researchers dropped nine vulnerabilities affecting OpenClaw’s core platform. The severity breakdown:

CVECVSSWhat It Does
CVE-2026-221729.9 CriticalWebSocket scope self-declaration lets any authenticated user gain full admin access
CVE-2026-320518.8 HighPrivilege escalation from operator.write to owner-only surfaces
CVE-2026-221718.2 HighPath traversal in Feishu media download enables arbitrary file write
CVE-2026-320327.0 HighUntrusted SHELL variable causes arbitrary shell execution on shared hosts
CVE-2026-320257.5 HighWebSocket brute-force with absent rate limiting enables session hijacking
CVE-2026-320487.5 HighSandbox escape — sandboxed sessions can spawn unsandboxed child processes
CVE-2026-320497.5 HighOversized media payload crashes service without authentication
CVE-2026-296076.4 MediumAllow-always wrapper bypass permits payload swaps and RCE
CVE-2026-284605.9 MediumAllowlist bypass via shell line-continuation characters leads to command injection

The worst of the batch, CVE-2026-22172, allowed any authenticated user to self-declare admin-level WebSocket scopes with zero authorization checks. If your OpenClaw instance had multiple users, any of them could have silently promoted themselves to full control.

CVE-2026-32048 is equally concerning. The sandbox — OpenClaw’s primary security boundary — could be bypassed by spawning child processes that inherited no sandbox restrictions. Any malicious skill running inside the sandbox could break out.

Several of these were patched in version 2026.2.22, weeks before the CVEs were publicly assigned. But the critical privilege escalation (CVE-2026-22172) wasn’t fixed until version 2026.3.12. If you updated in late February and stopped there, you’re still exposed to the worst one.

341 Malicious Skills: The Supply Chain Problem

The CVEs are only half the story. Security researchers auditing OpenClaw’s ClawHub marketplace found 341 malicious skills out of 2,857 total — roughly 12% of the entire registry.

The payloads included:

  • Credential stealers — primarily Atomic macOS Stealer (AMOS), targeting macOS keychain data, browser passwords, and cryptocurrency wallets
  • Keyloggers capturing user input across the system
  • Data exfiltration tools that silently uploaded files to external servers
  • Prompt injection payloads embedded in skill descriptions, manipulating the AI agent’s behavior
  • Plaintext credential leaks — over 280 skills exposing API keys, tokens, and passwords in their source code

The most-downloaded malicious skill was a cryptocurrency stealer disguised as a productivity tool.

This happened because ClawHub had no meaningful vetting process. Anyone could publish a skill. OpenClawd (the company behind OpenClaw) has since shipped a verified skill screening system, but the damage window was wide open for weeks during the platform’s peak growth.

ChatGPT’s DNS Tunneling Flaw

In a separate disclosure, Check Point Research found that ChatGPT’s code execution sandbox had a hidden outbound channel through DNS resolution.

The sandbox blocked direct internet connections, but DNS queries were left open for normal operations. Attackers could encode sensitive data into DNS subdomain labels — a technique called DNS tunneling — to silently extract conversation data, uploaded files, and model-generated content.

The attack worked like this:

  1. A malicious prompt (disguised as a productivity tip or hidden in a Custom GPT) activated the exfiltration channel
  2. The prompt triggered code execution that encoded conversation data into DNS subdomain queries
  3. Those queries resolved through normal DNS infrastructure to attacker-controlled servers
  4. The user saw nothing unusual — no network errors, no warnings, no permission prompts

Check Point demonstrated a proof-of-concept where a “personal doctor” Custom GPT extracted patient names and medical assessments from uploaded PDFs without any visible sign of data theft. The same channel was bidirectional — attackers could send commands back into the container, establishing a remote shell that bypassed ChatGPT’s safety filters entirely.

OpenAI confirmed prior internal identification and deployed a fix on February 20, 2026. There’s no evidence of in-the-wild exploitation. But the vulnerability illustrates how side-channel attacks against AI sandboxes can undermine even well-designed isolation.

Every AI platform that runs user code in sandboxed containers should be auditing their DNS resolution paths. If ChatGPT’s sandbox had this gap, others might too.

The Numbers Are Telling

A Darktrace survey released this month found that 92% of security professionals are concerned about AI agent security — and 1 in 8 companies that deployed AI agents have already experienced a breach linked to those systems. Meanwhile, the OECD has formally logged OpenClaw’s security incidents in its AI incident database, marking it as a case study in what happens when viral adoption outpaces security engineering.

An analysis of over 30,000 AI agent skills found that more than a quarter contained at least one vulnerability. That’s not an OpenClaw-specific problem. That’s the entire AI agent ecosystem.

What You Should Do

If you run OpenClaw:

  1. Update to at least version 2026.3.12 — anything older is missing the critical privilege escalation fix
  2. Audit every installed skill against the malicious skill list. Uninstall anything unverified
  3. Rotate all credentials the agent has access to — API keys, tokens, messaging app connections
  4. Enable the verified skill screening if you haven’t already
  5. Run OpenClaw in a Docker container with restricted permissions. Don’t give it more access than it needs

If you use ChatGPT:

  1. The DNS tunneling flaw is patched — no action needed on that specific issue
  2. Be cautious with Custom GPTs from unknown publishers. They remain the primary vector for prompt injection attacks
  3. Don’t paste prompts from untrusted sources claiming to “unlock” features
  4. Audit any Custom GPTs handling sensitive data (medical records, financial information, legal documents)

For everyone building AI agent systems:

  1. Audit DNS paths in sandboxed environments. Blocking HTTP isn’t enough if DNS is open
  2. Implement skill/plugin vetting before marketplace launch, not after a breach
  3. Treat AI agents like privileged services: least-privilege access, network isolation, monitoring
  4. Rate-limit authentication attempts from all sources, including localhost
  5. Never let a client self-declare its own permission scopes