Six weeks after we reported on OpenClaw’s critical one-click RCE vulnerability, the AI agent platform’s security situation has collapsed entirely. Between March 18 and 21, nine new CVEs were disclosed in just four days—including one rated CVSS 9.9. Meanwhile, security researchers confirmed that 12% of skills in the ClawHub marketplace are malware.
The jgamblin/OpenClawCVEs tracker now lists 156 total security advisories, with 128 still awaiting CVE assignment. OpenClaw has become the poster child for what happens when viral open-source adoption outpaces security review.
The Nine-CVE Week
The March disclosure wave hit with little warning. While patches had shipped weeks earlier, CVE notifications didn’t arrive until March 19-21—creating a month-long exposure window for self-hosters unaware of upstream updates.
The most severe is CVE-2026-22172, rated CVSS 9.9. The vulnerability is embarrassingly basic: during WebSocket connection setup, clients declare their own permission scopes, and the server trusts them. Any authenticated user—even one with minimal privileges—can simply request admin access and receive it. As one security researcher put it: “any authenticated user on your instance is one WebSocket message away from admin.”
The full March disclosure list:
| CVE | CVSS | Impact |
|---|---|---|
| CVE-2026-22172 | 9.9 Critical | Self-declared scopes enable privilege escalation to admin |
| CVE-2026-32051 | 8.8 High | Operator.write scope reaches owner-only functions |
| CVE-2026-22171 | 8.2 High | Path traversal in media downloads enables arbitrary file writes |
| CVE-2026-32048 | 7.5 High | Sandboxed child processes inherit no restrictions—sandbox escape |
| CVE-2026-32049 | 7.5 High | Oversized media payloads crash service without authentication |
| CVE-2026-32025 | 7.5 High | No rate limiting on localhost WebSocket auth enables session hijacking |
| CVE-2026-32032 | 7.0 High | Untrusted shell environment variable leads to arbitrary execution |
| CVE-2026-29607 | 6.4 Medium | Wrapper approval persists after payload swap—RCE without re-prompting |
| CVE-2026-28460 | 5.9 Medium | Shell continuation characters bypass command allowlist |
The sandbox escape vulnerability (CVE-2026-32048) is particularly concerning. When a sandboxed session spawns a child process, the child runs with sandbox.mode: off. A compromised agent that appears contained can spawn its way to freedom.
12% of the Marketplace Is Malware
The vulnerability disclosures are only half the story. Koi Security researcher Oren Yomtov audited all 2,857 skills on ClawHub and found 341 malicious entries. That’s nearly 12% of the entire marketplace.
The campaign, now tracked as “ClawHavoc,” showed coordination: 335 of the 341 malicious skills traced back to a single operation. The skills appeared legitimate—trading bots, financial assistants, productivity tools—and came with professional documentation. Users installed them following standard guides, unknowingly executing keyloggers on Windows or Atomic Stealer malware on macOS.
The malware targets included:
- Cryptocurrency wallet browser extensions and seed phrases
- macOS Keychain data
- Browser passwords and session cookies
- Cloud service credentials (AWS, GCP, Azure)
Since the initial disclosure, the problem has grown worse. Bitdefender’s follow-up analysis found approximately 900 malicious packages across an expanded registry of 10,700+ skills—roughly 20% of the ecosystem.
OpenClawd, a managed hosting service for OpenClaw, shipped verified skill screening in response. The core OpenClaw project has yet to implement marketplace moderation.
The Exposure Scale
The raw numbers remain alarming. Censys identified 21,639 OpenClaw instances exposed to the internet, up from the roughly 1,000 found in early February. A separate Kaspersky scan found nearly 1,000 installations running without any authentication.
The security audit total now stands at 512 vulnerabilities identified, with eight classified as critical. Many stem from the same architectural decisions we flagged in February: binding to all interfaces by default, trusting localhost connections implicitly, and granting agents broad system access without adequate permission boundaries.
What You Need to Do
If you’re running OpenClaw, the situation demands immediate action:
Patch to 2026.3.12 or later. This is non-negotiable. Versions before 2026.3.12 are vulnerable to the CVSS 9.9 admin bypass and multiple other critical flaws. The patch timeline is confusing—fixes shipped before CVE disclosures—so verify your actual version, not just whether you recently updated.
Purge community skills. Avoid the ClawHub marketplace entirely. If you’ve installed third-party skills, audit them now. Check for suspicious network connections, credential access patterns, or obfuscated code. When in doubt, remove and reinstall only verified skills from trusted sources.
Rotate all credentials. Assume compromise. Change API keys for every service your OpenClaw instance touches: cloud providers, messaging platforms, code repositories, payment processors. If you’ve used ClawHub skills, especially check for unauthorized access to cryptocurrency wallets.
Lock down network access. Bind to 127.0.0.1, not 0.0.0.0. Use a reverse proxy with authentication if you need remote access. OpenClaw should never listen on a public interface.
Consider whether you need this at all. OpenClaw provides convenience by connecting an AI agent to everything on your machine. That same connectivity is why each vulnerability creates such catastrophic exposure. If you’re not actively using the agent capabilities that require shell access, file access, and messaging platform integration, a simpler tool with a smaller attack surface might serve you better.
The Pattern Continues
OpenClaw isn’t an isolated case. It’s the most visible example of a pattern we’ve been tracking all year: AI tools shipping with broad system access and inadequate security review.
The fundamental problem is architectural. When you give an autonomous agent access to your shell, your files, your credentials, and your messaging platforms, you’re creating a single point of compromise that hands attackers everything. Traditional security models assume defense in depth—multiple layers that an attacker must breach sequentially. AI agents flatten that architecture into a single, maximally-privileged attack surface.
OpenClaw grew from 9,000 to over 145,000 GitHub stars in weeks. That adoption velocity doesn’t allow time for security audits, threat modeling, or defensive hardening. The result is predictable: 156 security advisories and counting, a marketplace poisoned with malware, and thousands of instances exposed to the internet running unpatched code.
The convenience isn’t worth the exposure.