Nine OpenClaw CVEs in Four Days. One Scored 9.9.
March 18, 2026. A Tuesday.
By Friday, OpenClaw had nine new CVEs. One scored 9.9 out of 10 on the CVSS scale. Six were high severity. The remaining two were medium.
That's not a bad week. That's a five-alarm fire.
What Happened
Between March 18 and March 21, security researchers disclosed nine vulnerabilities in rapid succession. The CVE tracker lit up like a slot machine.
Here's the highlight reel — if you can call it that.
The 9.9: Sandbox Escape (CVE-2026-32918)
The worst one. Sandboxed subagents could access parent or sibling session state by supplying arbitrary sessionKey values.
Translation: your "isolated" agent wasn't isolated. A compromised subagent could reach into other sessions, read their data, and act on their behalf.
The whole point of sandboxing is containment. This CVE blew through it.
Approval Bypass (CVE-2026-32978)
OpenClaw has an approval system. Agents ask permission before running dangerous commands. You approve "run backup.sh" and feel safe.
Except the approval didn't bind to the file's contents. An attacker could get approval for a benign script, then rewrite the script on disk, and execute the modified version under the original approval.
You approved one thing. The agent ran another.
Config Hijack (CVE-2026-32914)
The /config and /debug command handlers had insufficient access control. Non-owner users with command authorization could access owner-only settings and modify privileged configuration.
In a multi-user setup, this meant any authorized user could escalate to admin. Not great when you're running agents for a team.
Auth Bypass via Feishu (CVE-2026-32974)
If you configured Feishu webhook mode with only a verification token — no encrypt key — unauthenticated attackers could inject forged events and trigger downstream tool execution.
No credentials needed. Just craft the right webhook payload and your agent starts doing things.
The Bigger Pattern
Nine CVEs in four days sounds shocking. But zoom out.
The jgamblin/OpenClawCVEs tracker now lists 156 total security advisories. 128 are still awaiting CVE assignment. March alone saw 70+ disclosures.
This isn't a blip. It's a trend.
OpenClaw is the fastest-growing open-source AI project in GitHub history. 140,000+ stars. That kind of adoption puts a giant target on the project. Every security researcher in the world is poking at it.
And they're finding things.
Why This Keeps Happening
Three reasons.
Speed over security. OpenClaw ships fast. New features weekly. That velocity is why people love it. It's also why vulnerabilities slip through. Every new feature is a new attack surface.
Agent architecture is new territory. Traditional web apps have decades of security patterns. Agents that execute code, call APIs, and manage sessions? The security playbook doesn't exist yet. Teams are writing it as they go.
Community contributions at scale. Open source means anyone can contribute. That's powerful. It also means the security review bottleneck is real. More code, more surface area, same number of reviewers.
What the Community Is Saying
Hacker News didn't mince words. The top post — "OpenClaw is a security nightmare dressed up as a daydream" — pulled 396 points and 295 comments.
One commenter wrote: "I wonder just how many are compromised and waiting on a command that hasn't been given yet."
On X, @botnewsnetwork called it out: "Seven CVEs on a single Sunday. March: 70+."
The sentiment is shifting from excitement to concern. People still want to use OpenClaw. They're just not sure they can do it safely.
What This Means for You
If you're running OpenClaw in production right now, here's the reality:
You need to patch constantly. Every release might contain a security fix. Miss one and you're exposed. The March 18-21 batch alone required immediate action on nine separate issues.
Your approval system might not work. CVE-2026-32978 showed that the approval mechanism — the thing that's supposed to keep agents in check — had a fundamental flaw. Even if it's patched, the pattern should make you question what other trust assumptions are baked in.
Sandboxing isn't guaranteed. The 9.9-rated sandbox escape means containment failed at the most critical layer. If you're relying on sandboxing to keep agents separated, you need to verify your version isn't vulnerable.
What You Should Do
Update immediately. If you're not on the latest release, you're running with known vulnerabilities. The CVEs are public. The exploits are documented. Attackers read CVE databases too.
Don't rely on a single layer. Approval systems, sandboxing, access control — each one has had a CVE this month. Defense in depth isn't optional. It's the only strategy that survives contact with reality.
Consider managed infrastructure. Clawctl patches automatically. When CVE-2026-32918 dropped, managed instances were updated within hours — not days, not "whenever the team gets to it." The sandbox escape never had a window to exploit.
Monitor your agents. If you can't answer "what did my agent do in the last 24 hours?" you have a visibility problem on top of a vulnerability problem.
Nine CVEs. Four days. One scored 9.9. The vulnerability velocity isn't slowing down. Your patching cadence needs to match it — or you need infrastructure that handles it for you.