Blogs & Articles

OpenClaw (formerly Clawdbot, then Moltbot, renamed in January 2026) is an open-source AI agent framework that allows an AI assistant to act on behalf of a user — files, Slack, Discord, Telegram, online purchases — using their own access and permissions. Launched in November 2025, it reached 347,000 GitHub stars in less than six months. In those same five months, 138 CVEs have been associated with it — including 7 critical and 49 of high severity. If you or your team uses OpenClaw, the posture recommended by experts is unequivocal: assume you are compromised.

Key takeaways

• CVE-2026-25253 (CVSS 8.8): one-click RCE via WebSocket, 35.4% of observed deployments vulnerable to RCE
• CVE-2026-22172 (CVSS 9.9) + CVE-2026-32922 (CVSS 9.9): admin control without credentials
• 12% of ClawHub skills malicious in February 2026 (341 out of 2,857) — 824+ active as of April 3, 2026 (ClawHavoc campaign)
• +135,000 exposed instances across 82 countries, including 63% without authentication (SecurityScorecard STRIKE, February 2026)
• Microsoft advises against any deployment on a workstation containing sensitive data (02/19/2026)
• Minimum recommended version: 2026.4.14

What is OpenClaw?

OpenClaw (formerly Clawdbot, then Moltbot — three successive names in January 2026) is an open-source AI agent framework that allows an AI assistant to automate actions on behalf of a human user — local and network file access, Slack and Discord messaging, Telegram management, online transactions, third-party service execution — using the same rights and credentials as the user.

Launched in November 2025, OpenClaw reached 347,000 GitHub stars in less than six months. Its popularity is viral. Its security model, however, is fundamentally fragile: the agent has the same rights as the user, connected to all their services. A flaw does not compromise a single isolated component — it compromises everything the agent had access to.

Incident timeline (November 2025 – April 2026)

138 CVEs tracked between February and April 2026 — including 7 critical and 49 of high severity (GitHub tracker jgamblin/OpenClawCVEs; analysis relayed by Blink Security, April 2026)

The 5 major vulnerabilities decoded

CVE-2026-25253 — One-click Remote Code Execution (CVSS 8.8)

The vulnerability exploits OpenClaw's WebSocket gateway (port 18789 by default, insufficient origin validation). Simply visiting a booby-trapped page was enough to compromise the machine. 35.4% of observed deployments were vulnerable to RCE (SecurityScorecard STRIKE, February 2026). Patch v2026.1.29 was published on January 29, 2026, five days before the public disclosure on February 3, 2026 (ProArch Security, March 2026).

CVE-2026-22172 — Admin declaration via WebSocket (CVSS 9.9)

WebSocket clients could self-declare with administrator scopes, completely bypassing authentication. Affects all versions prior to 2026.3.12.

CVE-2026-32038 — Docker network isolation bypass (fixed in OpenClaw 2026.2.24)

Via the network=container: parameter, an agent accessed the network namespace of other containers — databases, internal services, private APIs. Required prior trusted operator access.

CVE-2026-32922 — Escalation via device.token.rotate (CVSS 9.9)

135,000+ instances exposed on the internet across 82 countries — including 63% without any authentication (SecurityScorecard STRIKE, February 2026; relayed by ARMO Security, March 2026)

The device.token.rotate function did not constrain the scopes of newly generated tokens. An attacker with the lowest permission level obtained full administrator control. The patch was published in version 2026.3.11 on March 13, 2026; the CVE was published on cve.org on March 29, 2026.

CVE-2026-33579 — Escalation via /pair approve (CVSS up to 9.8)

The /pair approve command did not forward the requester's security scopes into the central authorization check. Patched in version 2026.3.28. The official CVSS score has not yet been published by NVD as of this article's date; the "up to 9.8" score is reported by Ars Technica and Blink Security (April 2026).

The ClawHub supply chain: 824+ active malicious skills

In February 2026, researchers at Koi Security detected the ClawHavoc campaign: skills distributed via the official ClawHub, disguised as productivity tools (Gmail, Notion, Slack, GitHub), embedding malicious code.

Key figures (Koi Security, February 2026): 341 malicious skills identified out of 2,857 audited (12%), of which 335 attributed to the same ClawHavoc campaign. This figure has since grown: 824+ malicious skills active as of April 3, 2026 (Blink Security, April 2026), including keyloggers and credential stealers targeting OAuth tokens, API keys, and environment variables.

Docker and VM: insufficient protection

Microsoft Security Blog (02/19/2026): "The runtime can ingest untrusted text, download and execute skills from external sources, and perform actions using the credentials assigned to it — without equivalent controls around identity, input handling, or privilege scoping. (…) If an organization determines that OpenClaw must be evaluated, it should be deployed only in a fully isolated environment such as a dedicated virtual machine, with non-privileged credentials, access only to non-sensitive data, continuous monitoring, and a rebuild plan."
— Microsoft Security Blog, February 19, 2026

Bottom line: Docker reduces the blast radius. It does not guarantee invulnerability. A Docker container shares the host kernel — a kernel vulnerability compromises every container on the machine. Docker bypasses UFW rules by modifying iptables directly — your VM firewall does not protect your containers by default.

What you need to do now

Mandatory updates

• Update to OpenClaw 2026.4.14 minimum (closes CVE-2026-33579)
• CVE-2026-32922 has already been fixed since OpenClaw 2026.3.11 (March 13, 2026)
• OpenClaw ≥ 2026.2.24 closes CVE-2026-32038

5 mandatory Docker hardening flags

docker run \
  --user nobody \
  --read-only \
  --cap-drop=ALL \
  --security-opt=no-new-privileges \
  # NEVER mount the Docker socket (/var/run/docker.sock)

Firewall and network

• Configure UFW via the DOCKER-USER iptables chains (standard UFW rules do not apply to containers)
• Block port 18789 from public exposure
• Bind the WebSocket gateway to 127.0.0.1 only (never 0.0.0.0)

Audit and revocation

• Audit every skill installed from ClawHub between November 2025 and end of February 2026
• Revoke and regenerate all tokens and API keys connected to OpenClaw
• Treat every past session as potentially compromised

FAQ — Frequently asked questions about OpenClaw security

Is updating to 2026.4.14 enough to be protected?

The patch fixes the vulnerabilities known as of April 3, 2026. It does not fix what may have happened during the weeks of exposure. If OpenClaw was in production before the patch, the recommended posture remains: revoke all tokens, reset all credentials, treat the environment as potentially compromised.

Does Docker protect me from OpenClaw vulnerabilities?

No, not entirely. CVE-2026-25253 (WebSocket RCE) and CVE-2026-22172 (admin scope) are not mitigated by Docker alone. CVE-2026-32038 specifically bypassed Docker network isolation. The 5 hardening flags must be applied in addition to updating to 2026.4.14.

How many OpenClaw instances are exposed on the internet?

According to security data from February 2026, more than 135,000 OpenClaw instances are exposed on the internet across 82 countries. Of these, 63% operate without any authentication (SecurityScorecard STRIKE, February 2026; relayed by ARMO Security, March 2026) — meaning that any network visitor can request pairing access without providing credentials.

What should I do if I installed skills from ClawHub before March 2026?

Audit every skill installed between November 2025 and the end of February 2026. Skills disguised as productivity tools (Gmail, Notion, Slack, GitHub) are particularly suspicious. When in doubt: uninstall the skill, revoke all credentials OpenClaw had access to, regenerate the associated API keys.

Can OpenClaw be used securely in a corporate environment?

Microsoft Security Blog (02/19/2026): "It is not appropriate to run on a standard personal or enterprise workstation. If an organization determines that OpenClaw must be evaluated, it should be deployed only in a fully isolated environment such as a dedicated virtual machine, with non-privileged credentials, access only to non-sensitive data, continuous monitoring, and a rebuild plan."

Is the problem specific to OpenClaw or structural to AI agents?

The problem is structural. An AI agent operating with the broad rights of the user, connected to multiple services, creates an exceptional attack surface. A flaw does not compromise a single isolated component — it compromises everything the agent had access to. OpenClaw is a textbook case, not an exception. The current "one agent, broad access to everything" model is fundamentally fragile.

What are the indicators of compromise to monitor?

Unusual activity on your Slack, Discord, Telegram or GitHub accounts; OAuth tokens revoked or regenerated without your action; new active sessions on services OpenClaw had access to; files created, modified, or deleted without identifiable action; outbound network requests to unknown domains from the server hosting OpenClaw.

Sources

• CVE-2026-33579 — NVD NIST
• Running OpenClaw safely: identity, isolation, and runtime risk — Microsoft Security Blog (02/19/2026)
• ClawHavoc: 341 Malicious Skills Found by the Bot They Were Targeting — Koi Security (February 2026)
• Beyond the Hype: Moltbot's Real Risk Is Exposed Infrastructure — SecurityScorecard STRIKE (February 2026)
• OpenClaw CVE Tracker — jgamblin/OpenClawCVEs (GitHub)
• OpenClaw Security Best Practices 2026 (138+ CVEs) — Blink Blog
• CVE-2026-32922: Critical Privilege Escalation — ARMO Security (March 2026)
• OpenClaw RCE Vulnerability CVE-2026-25253 — ProArch (March 2026)
• Ars Technica — OpenClaw gives users yet another reason to be freaked out about security (04/03/2026)
• CVE-2026-33579 — The /pair approve Vulnerability — Edera Security (April 2026)
• CVE-2026-22172 — VulnCheck Advisory
• CVE-2026-32038 — GitHub Security Advisory