Blogs & Articles

  • Home
  • Blogs & Articles
⚠️ OpenClaw: Why Cybersecurity Experts Recommend Assuming You Are Compromised
April 08, 2026
Author Peter Senn
#OpenClaw #cybersecurity #AI agents #CVE #Docker #SME security #ClawHub #vulnerability #supply chain #privilege escalation
  • Updated on:

    • ⚠️ OpenClaw: Why Cybersecurity Experts Recommend Assuming You Are Compromised

    Active Alert: This alert concerns all OpenClaw versions prior to 2026.3.28. If you have not yet updated, treat your environment as potentially compromised.

    OpenClaw (formerly Clawdbot) is an open-source AI agent framework that allows an AI assistant to act on behalf of a user — files, Slack, Discord, Telegram, online purchases — using their own access and permissions. Launched in November 2025, it reached 347,000 GitHub stars in less than six months. In five months, 138 CVEs have also been associated with it — including 7 critical, 49 of high severity. If you or your team uses OpenClaw, the posture recommended by experts is unequivocal: assume you are compromised.

    Key Takeaways

    • CVE-2026-25253 (CVSS 8.8): 1-click RCE via WebSocket, 35% of instances exposed
    • CVE-2026-22172 (CVSS 9.9) + CVE-2026-32922 (CVSS 9.9): admin control without credentials
    • 12% of ClawHub skills malicious in February 2026 — 824+ active as of April 3, 2026 (ClawHavoc campaign)
    • +135,000 exposed instances, including 63% without authentication (ARMO, 2026)
    • Microsoft advises against any deployment on machines containing sensitive data (02/19/2026)
    • Minimum recommended version: 2026.3.28

    What is OpenClaw?

    OpenClaw (formerly Clawdbot) is an open-source AI agent framework that allows an AI assistant to automate actions on behalf of a human user — access to local and network files, Slack and Discord messaging, Telegram management, online transactions, execution of tasks on third-party services — using the same rights and credentials as the user.

    Launched in November 2025, OpenClaw reached 347,000 GitHub stars in less than six months. Its popularity is viral. Its security model, however, is fundamentally fragile: the agent has the same rights as the user, connected to all their services. A flaw does not compromise an isolated component — it compromises everything the agent had access to.

    Timeline of Incidents (November 2025 – April 2026)

    Date Incident Severity
    November 2025 OpenClaw launch (formerly Clawdbot), viral adoption — 347,000 ⭐ GitHub
    January 2026 CVE-2026-25253 (CVSS 8.8): 1-click RCE via local WebSocket, patched in 48h. 35% of instances exposed. An unpatched Docker compromised in <90 s 🔴 Critical
    February 2026 ClawHavoc Campaign: 12% of malicious ClawHub skills (341/2,857) — keyloggers and credential stealers 🔴 Critical
    February 19, 2026 Microsoft Security Blog: official guide advising against deployment on any machine containing sensitive data 🟠 Alert
    March 2026 CVE-2026-22172 (CVSS 9.9): self-declaration of admin scopes via WebSocket — all versions before 2026.3.12 🔴 Critical
    March 19, 2026 CVE-2026-32038: Docker network isolation bypass via network=container:. Fixed in 2026.2.24 🔴 Critical
    March 29, 2026 CVE-2026-32922 (CVSS 9.9): escalation via device.token.rotate — +135,000 instances exposed, 63% without auth 🔴 Critical
    April 3, 2026 Ars Technica: "Assume compromise" — 3 new critical vulnerabilities, including CVE-2026-33579 (CVSS 9.8). 824+ active malicious skills 🔴 Critical
    138 CVEs tracked between February and April 2026 — including 7 critical and 49 of high severity (Blink Security, April 2026)

    The 5 Major Vulnerabilities Decrypted

    CVE-2026-25253 — 1-Click Remote Code Execution (CVSS 8.8)

    RCE (Remote Code Execution): vulnerability allowing a remote attacker to execute arbitrary code on the target machine, without physical access or user interaction beyond simply visiting a malicious web page.

    The vulnerability exploits OpenClaw's WebSocket gateway (port 18789 by default, insufficient origin validation). Simply visiting a booby-trapped page was enough to compromise the machine. 35% of deployed instances were exposed. An unpatched Docker container was compromised in less than 90 seconds in demonstration tests. (ProArch Security, January 2026)

    CVE-2026-22172 — Admin Declaration via WebSocket (CVSS 9.9)

    WebSocket clients could self-declare with administrator scopes, completely bypassing authentication. Affects all versions prior to 2026.3.12.

    CVE-2026-32038 — Docker Network Isolation Bypass (fixed in 2026.2.24)

    Via the network=container: parameter, an agent accessed the network namespace of other containers — database, internal services, private APIs. Required prior trusted operator access.

    CVE-2026-32922 — Escalation via device.token.rotate (CVSS 9.9)

    135,000+ instances exposed on the internet in 82 countries — including 63% without any authentication (ARMO Security, March 2026)

    The device.token.rotate function did not constrain the scopes of newly generated tokens. An attacker with the lowest level of permission obtained complete administrator control.

    CVE-2026-33579 — Escalation via /pair approve (CVSS up to 9.8)

    The /pair approve command did not transmit the security scopes of the requester in the central authorization check. Patched in version 2026.3.28. (NVD, April 2026)

    The ClawHub Supply Chain: 824+ Active Malicious Skills

    Credential stealer: malware that silently captures and exfiltrates authentication credentials — OAuth tokens, API keys, environment variables — to attacker-controlled servers, without any visible user action.

    In February 2026, researchers detected the ClawHavoc campaign: skills distributed via the official ClawHub, disguised as productivity tools (Gmail, Notion, Slack, GitHub), embedding malicious code.

    Key figures (Blink Security, April 2026): 341 malicious skills out of 2,857 in February 2026 (12%). This number has increased: 824+ active malicious skills listed as of April 3, 2026, including keyloggers and credential stealers targeting OAuth tokens, API keys, and environment variables.

    Docker and VM: Insufficient Protection

    Attack Vector Docker Alone Dedicated VM Docker + 5 Flags
    CVE-2026-25253 (WebSocket RCE) ⚠️ Partial
    CVE-2026-32038 (network namespace) ❌ before 2026.2.24
    CVE-2026-22172 (admin scope auto)
    CVE-2026-32922 (device.token.rotate)
    Malicious ClawHub Skills ⚠️ Partial ⚠️ Partial
    Kernel Exploit (shared kernel)
    Microsoft Security Blog (02/19/2026): « The runtime can ingest untrusted text, download and execute skills from external sources, and perform actions with the credentials assigned to it — without equivalent controls on identity, input handling, or privilege scoping. If an organization determines that OpenClaw should be evaluated, it should be deployed only in a fully isolated environment — dedicated VM, non-privileged credentials, limited access to non-sensitive data, continuous monitoring, and a reconstruction plan. »
    Microsoft Security Blog, February 19, 2026
     
    Key Takeaway: Docker reduces the blast radius. It does not guarantee invulnerability. A Docker container shares the host kernel — a kernel vulnerability compromises all containers on the machine. Docker bypasses UFW rules by modifying iptables directly — your VM firewall does not protect your containers by default.

    What You Need to Do Now

    Mandatory Updates

    • Update to OpenClaw 2026.3.28 minimum (closes CVE-2026-33579 and CVE-2026-32922)
    • Docker version ≥ 2026.2.24 (closes CVE-2026-32038)

    5 Mandatory Docker Hardening Flags

    docker run \
  --user nobody \
  --read-only \
  --cap-drop=ALL \
  --security-opt=no-new-privileges \
  # NEVER mount the Docker socket (/var/run/docker.sock)

    Firewall and Network

    • Configure UFW via the iptables DOCKER-USER chains (standard UFW rules do not apply to containers)
    • Block port 18789 from public exposure
    • Bind the WebSocket gateway to 127.0.0.1 only (never 0.0.0.0)

    Audit and Revocation

    • Audit each skill installed from ClawHub between November 2025 and the end of February 2026
    • Revoke and regenerate all tokens and API keys connected to OpenClaw
    • Treat each past session as potentially compromised

    FAQ — Frequently Asked Questions About OpenClaw Security

    Is updating to 2026.3.28 enough to be protected?

    The patch fixes the vulnerabilities known as of April 3, 2026. It does not fix what potentially happened during the weeks of exposure. If OpenClaw was in production before the patch, the recommended posture remains: revoke all tokens, reset all credentials, treat the environment as potentially compromised.

    Does Docker protect me from OpenClaw vulnerabilities?

    No, not entirely. CVE-2026-25253 (WebSocket RCE) and CVE-2026-22172 (admin scope) are not mitigated by Docker alone. CVE-2026-32038 specifically bypassed Docker network isolation. The 5 hardening flags must be applied in addition to updating to 2026.3.28.

    How many OpenClaw instances are exposed on the internet?

    According to security data from April 2026, more than 135,000 OpenClaw instances are exposed on the internet in 82 countries. Among them, 63% operate without any authentication (ARMO Security, March 2026) — meaning that any network visitor can request a pairing access without providing credentials.

    What if I installed skills from ClawHub before March 2026?

    Audit each skill installed between November 2025 and the end of February 2026. Skills disguised as productivity tools (Gmail, Notion, Slack, GitHub) are particularly suspicious. If in doubt: uninstall the skill, revoke all credentials that OpenClaw had access to, regenerate the associated API keys.

    Can OpenClaw be used securely in a business?

    Microsoft Security Blog (02/19/2026): « It is not appropriate to run it on a standard personal or corporate machine. If an organization determines that OpenClaw should be evaluated, it should be deployed only in a fully isolated environment — dedicated VM, non-privileged credentials, access only to non-sensitive data, continuous monitoring, and a reconstruction plan. »

    Is the problem specific to OpenClaw or structural to AI agents?

    The problem is structural. An AI agent operating with the user's broad rights, connected to multiple services, creates an exceptional attack surface. A flaw does not compromise an isolated component — it compromises everything the agent had access to. OpenClaw is a textbook case, not an exception. The current model "one agent, broad access to everything" is fundamentally fragile.

    What are the indicators of compromise to monitor?

    Unusual activity on your Slack, Discord, Telegram, or GitHub accounts; OAuth tokens revoked or regenerated without your action; new active sessions on services that OpenClaw had access to; files created, modified, or deleted without identifiable action; outbound network requests to unknown domains from the server hosting OpenClaw.

    Do you have doubts about your security posture regarding AI agents?
    Our Bexxo experts can assist you with an audit or compliance.
    → Contact us at bexxo.ch

    Sources

    Search an article

    Categories

    AI Agents
    CVE Find
    Cybersecurity
    Security alerts
    Services

    Tags

    #AI agents #CVE #CVEFind #ClawHub #Docker #OpenClaw #SME #SME security #Vulnerabilities #cvefind #cybersecurity #privilege escalation #statistics #statistiques #supply chain #vulnerability

    Most viewed

    CVE Statistics - June 2025
    CVE Statistics - June 2025 Jul 02, 2025
    CVE Statistics - May 2025
    CVE Statistics - May 2025 Jun 04, 2025
    Regular Updates: The #1 Cybersecurity Strategy to Eliminate Known Vulnerabilities
    Regular Updates: The #1 Cybersecurity Strategy to Eliminate Known Vulnerabilities Jan 11, 2025
    Why Monitoring Security Vulnerabilities Is Essential for Your Business
    Why Monitoring Security Vulnerabilities Is Essential for Your Business Feb 04, 2025
    Cybersecurity: Why are SMEs Particularly Vulnerable to Cyberattacks?
    Cybersecurity: Why are SMEs Particularly Vulnerable to Cyberattacks? Mar 19, 2025
    CVE Statistics - December 2024
    CVE Statistics - December 2024 Jan 06, 2025
    CVE Statistics - February 2025
    CVE Statistics - February 2025 Mar 03, 2025
    ⚠️ OpenClaw: Why Cybersecurity Experts Recommend Assuming You Are Compromised
    ⚠️ OpenClaw: Why Cybersecurity Experts Recommend Assuming You Are Compromised Apr 08, 2026
    CVE Statistics - November 2024
    CVE Statistics - November 2024 Dec 02, 2024
    CVE Statistics - January 2025
    CVE Statistics - January 2025 Feb 03, 2025
    The information presented on CVE Find originates from several carefully selected reference sources. CVE data is provided by MITRE Corporation and the National Vulnerability Database (NVD). The Known Exploited Vulnerabilities (KEV) catalog is sourced from the Cybersecurity and Infrastructure Security Agency (CISA), while EPSS scores come from FIRST.org. Additionally, data regarding software weaknesses (CWE) and common attack patterns (CAPEC) is maintained by MITRE Corporation, and information on hardware and software configurations (CPE) is provided by the NVD.