OpenClaw went from zero to 346,000 GitHub stars in under five months, passing React to become the most-starred software project on the platform. It has 3.2 million active users and over 500,000 running instances.
It also has 156 security advisories, nine CVEs dropped in a single four-day stretch, a poisoned skills marketplace, and more than 135,000 instances sitting on the open internet with no authentication.
This is what happens when viral growth meets AI agents that run with system-level access.
Nine Vulnerabilities in Four Days
Between March 18 and 21, researchers disclosed nine CVEs targeting OpenClaw. The worst was CVE-2026-22172, scoring 9.9 out of 10 on the CVSS scale. What it does is almost comically simple: when connecting via WebSocket, the server lets the client declare its own permission scopes. An authenticated user could just tell the server “I’m operator.admin” and the server would believe it.
No exploit toolkit. No buffer overflow. No race condition. Just a server that takes your word for who you are.
Here’s the full list:
| CVE | CVSS | What It Does |
|---|---|---|
| CVE-2026-22172 | 9.9 Critical | WebSocket scope self-declaration — any user becomes admin |
| CVE-2026-32051 | 8.8 High | Privilege escalation to owner-only functions |
| CVE-2026-22171 | 8.2 High | Path traversal enabling arbitrary file writes |
| CVE-2026-32025 | 7.5 High | Browser-based brute-force session hijacking (“ClawJacked”) |
| CVE-2026-32048 | 7.5 High | Sandbox escape — sandboxed sessions spawn unsandboxed children |
| CVE-2026-32049 | 7.5 High | Oversized media payload crashes service without authentication |
| CVE-2026-32032 | 7.0 High | Untrusted SHELL variable allows arbitrary execution |
| CVE-2026-29607 | 6.4 Medium | Allow-always wrapper bypass permits RCE |
| CVE-2026-28460 | 5.9 Medium | Shell continuation characters bypass command allowlist |
Six of these are high severity. The critical one needed nothing more than an authenticated connection and a lie.
The ClawJacked Attack
CVE-2026-32025 deserves special attention because it breaks a fundamental assumption: that localhost means safe.
OpenClaw’s gateway trusted any connection originating from localhost. The problem? Websites can also originate connections from localhost. If you visited a malicious webpage while running OpenClaw, JavaScript on that page could open a WebSocket connection to your local gateway, brute-force the authentication token at hundreds of attempts per second with no rate limiting, and take full administrative control of your instance.
Your browser becomes the attack vector. Your AI agent becomes the target.
135,000 Instances Naked on the Internet
OpenClaw ships with a default that security engineers would call insane: it binds to 0.0.0.0:18789, meaning it listens on all network interfaces. Unless you explicitly restrict it, your AI agent is accessible from the public internet.
SecurityScorecard found more than 135,000 publicly exposed instances across 82 countries. Of those, over 50,000 were exploitable via remote code execution. More than 53,000 correlated with prior breach activity. About 63% were running with zero authentication.
Roughly 30% of exposed instances were in China on Alibaba Cloud. The US had the largest national share.
For a tool designed to modify systems, automate tasks, and interact with connected devices, exposing it to the internet by default is a fundamental design failure.
The Poisoned Marketplace
The vulnerabilities alone would be bad enough. But OpenClaw also has ClawHub, a public marketplace for “skills” — plugins that extend agent capabilities. Attackers saw an opportunity.
A coordinated campaign called ClawHavoc planted 341 malicious skills in ClawHub. That’s roughly 12% of the entire registry of 2,857 skills at the time.
The malicious skills used professional documentation and innocent-sounding names like “solana-wallet-tracker.” Behind the facade, they instructed users to run external code that installed keyloggers on Windows or Atomic Stealer malware on macOS. The campaign was traced to a single coordinated operation — 335 of the 341 malicious skills came from one threat actor group.
This wasn’t a hypothetical supply chain risk. It was an active, large-scale supply chain attack against the most popular AI agent framework on the planet.
The Patch Gap Problem
Here’s the thing that should make you nervous: patches existed before the CVEs were even published. Version 2026.2.22, which fixes five of the nine March CVEs, shipped around February 22. The CVEs referencing it weren’t published until March 19–21 — nearly a month later.
Most self-hosters don’t monitor upstream releases daily. They wait for CVE publications, security advisories, or blog posts. That month-long gap between fix and disclosure means thousands of instances were running vulnerable code even though a patch was available.
The latest critical fix requires version 2026.3.12 at minimum. A subsequent privilege escalation (CVE-2026-33579, CVSS 8.1) needs version 2026.3.28.
Why This Matters Beyond OpenClaw
OpenClaw is the canary in the coal mine for AI agent security. The pattern playing out here — explosive growth, default-insecure configuration, unvetted plugin marketplaces, system-level access — applies to every autonomous agent framework gaining traction right now.
The core problem: AI agents need broad permissions to be useful. They modify files, execute commands, make API calls, access credentials. Every one of those capabilities is a potential attack surface. When the framework itself has privilege escalation bugs, you’re not just running an insecure app — you’re giving attackers a foothold with the same system access your AI agent has.
The jgamblin/OpenClawCVEs tracker lists 156 total security advisories for OpenClaw, with 128 still awaiting CVE assignment. The project has 346,000 GitHub stars and 3.2 million active users. The gap between adoption and security maturity is staggering.
What You Should Do
If you’re running OpenClaw:
-
Update immediately to at least version 2026.3.28. This covers the critical scope escalation and the latest privilege escalation fix.
-
Check your network binding. If your instance is accessible from the internet, lock it down to localhost or put it behind a VPN. There is no reason an AI agent should be publicly accessible.
-
Audit your installed skills. Remove anything you don’t recognize. Cross-reference against the known malicious skills list.
-
Enable authentication. If you’re in the 63% running without it, fix that today.
-
Monitor for suspicious device pairings. Look for devices where registration and approval timestamps are within seconds of each other and the approver isn’t a known admin — that’s the CVE-2026-33579 exploit pattern.
-
Consider whether you need this at all. Self-hosting an AI agent that runs with system-level access is, as OpenClaw’s own security blog put it, “a continuous security commitment, not a set-and-forget deployment.” If you can’t commit to tracking upstream patches, you probably shouldn’t be running it.
The AI agent gold rush is here. OpenClaw’s security crisis is just the first major warning sign. It won’t be the last.