Remote OpenClaw Blog
The OpenClaw Security Crisis Explained: CVEs, Exposed Instances, and Malicious Skills
7 min read ·
Remote OpenClaw Blog
7 min read ·
The OpenClaw security crisis did not happen overnight. It was a cascading series of disclosures, attacks, and exposures that unfolded over three months, each event amplifying the severity of the last.
Security researchers began flagging OpenClaw's default configuration as permissive. The gateway API shipped without authentication enabled by default. New deployments exposed their full agent control plane to the internet unless operators manually configured firewall rules and auth tokens. At this point, OpenClaw had roughly 180,000 GitHub stars and an estimated 40,000-60,000 active deployments worldwide.
The first batch of CVEs arrived in mid-February. CVE-2026-24763 (command injection) and CVE-2026-26322 (SSRF) were disclosed through responsible channels and patched within 48 hours. However, the patch adoption rate was low. According to SecurityWeek, fewer than 15% of active deployments applied the patches within the first two weeks.
Late March saw 9 CVEs disclosed in a 4-day window, including the two most severe vulnerabilities in OpenClaw's history. Simultaneously, The Register published an investigation revealing the scale of exposed instances, and the ClawHavoc supply-chain attack was discovered on ClawHub.
The OpenClaw maintainers released emergency patches, implemented mandatory gateway authentication in new installations, and began the ClawHub cleanup. The ecosystem is now in active recovery, but the damage to unpatched deployments continues.
Six CVEs represent the most critical vulnerabilities. Each one is described below with its severity rating, attack vector, and current patch status.
This vulnerability allowed an attacker to execute arbitrary code on the host system by sending a specially crafted message through any connected channel (Telegram, WhatsApp, Slack). The attack required no authentication and could be triggered by a single message containing a malicious payload disguised as a normal user query.
The root cause was insufficient input sanitization in the tool execution pipeline. OpenClaw passed user input directly to shell commands in certain skill execution paths without escaping special characters.
Status: Patched in OpenClaw v3.24.1. All operators should verify they are running v3.24.1 or later.
The most severe vulnerability disclosed. An authenticated user with basic message permissions could escalate to full system-level access on the host machine. The CVSS score of 9.9 out of 10 reflects the combination of low attack complexity, no user interaction required, and complete compromise of confidentiality, integrity, and availability.
According to DigitalOcean's security team, this vulnerability was actively exploited in the wild within 72 hours of disclosure.
Status: Patched in OpenClaw v3.24.2. This is the single most important patch to apply.
Allowed injection of arbitrary system commands through the skill parameter parsing engine. An attacker could craft a skill invocation that broke out of the intended execution sandbox and ran commands directly on the host OS.
Status: Patched in OpenClaw v3.23.4.
Enabled attackers to make the OpenClaw instance send HTTP requests to internal network resources, potentially accessing cloud metadata endpoints, internal APIs, and services not exposed to the internet.
Status: Patched in OpenClaw v3.23.4.
Allowed reading arbitrary files from the host filesystem through crafted skill file references. An attacker could read /etc/passwd, SSH keys, environment variables containing API keys, and any other file accessible to the OpenClaw process user.
Status: Patched in OpenClaw v3.24.0.
A sophisticated prompt injection attack that could override OpenClaw's system instructions, disable safety controls, and redirect agent behavior. Unlike traditional prompt injection, this variant persisted across sessions by modifying the agent's memory files.
Status: Patched in OpenClaw v3.24.2 with additional prompt boundary enforcement.
In parallel with the CVE disclosures, security researchers from ARMO conducted an internet-wide scan and identified 135,000 OpenClaw instances with their gateway ports directly exposed to the public internet across 82 countries.
These instances had no gateway authentication configured, meaning anyone on the internet could send commands to the OpenClaw agent, access its memory, read its connected email and calendar data, and execute skills — all without credentials.
The highest concentrations of exposed instances were found in:
The remaining instances were distributed across 77 other countries. The scan covered standard gateway ports (3000, 8080, 443) but did not account for non-standard port configurations, meaning the true number of exposed instances is likely higher.
The root cause is OpenClaw's default configuration. Prior to v3.24.2, new installations did not require gateway authentication. The quickstart documentation focused on getting a working deployment as fast as possible, and security hardening was presented as an optional advanced step rather than a required part of installation.
Marketplace
Free skills and AI personas for OpenClaw — browse the marketplace.
Browse the Marketplace →For a tool to check whether your own deployment is exposed, see Is Your OpenClaw Exposed? Security Check Guide.
While the CVE disclosures exposed vulnerabilities in OpenClaw itself, the ClawHavoc campaign targeted the supply chain. Attackers uploaded 1,184+ malicious skills to ClawHub using typosquatted names designed to mimic popular legitimate skills.
The malicious skills used names like daily-briefing-pro (mimicking daily-briefing), security-hardner (typo of security-hardener), and gmail-integation (missing letter). Each skill contained legitimate-looking functionality on the surface, but embedded hidden routines that:
At its peak, approximately 12% of all skills on ClawHub were identified as malicious or suspicious. The ClawHub team estimates that 8,400+ operators installed at least one malicious skill before the cleanup began.
For a detailed guide on auditing your installation for malicious skills, see the ClawHub Malicious Skills Audit Guide.
If you are running OpenClaw in any capacity, take these steps immediately. They are listed in priority order.
Run openclaw update or pull the latest Docker image. Verify you are running v3.24.2 or later, which contains patches for all disclosed CVEs. Check your version with openclaw --version.
If your gateway does not require a token or password, configure authentication immediately. An exposed gateway without auth is equivalent to leaving your entire digital life accessible to anyone on the internet.
Review every skill installed on your deployment. Check skill names against the published ClawHavoc list. Read the source code of any skill you did not write yourself. Remove anything suspicious. See the audit guide for the full process.
If you were running an unpatched or exposed instance, assume your API keys, OAuth tokens, and environment variables have been compromised. Rotate everything: LLM API keys, Gmail OAuth tokens, calendar credentials, and any other service credentials stored in your OpenClaw environment.
Apply the full 3-tier security hardening framework covering network security (firewalls, Tailscale), application security (auth, sandboxing, execution approvals), and operational security (monitoring, logging, alerting).
The security crisis exposed three systemic issues in the OpenClaw ecosystem that operators should keep in mind going forward.
OpenClaw's security documentation was thorough, but the default configuration was permissive. When the default is insecure and hardening is optional, most users will run insecure deployments. The maintainers have acknowledged this and are shifting to secure-by-default configurations in future releases.
The ClawHavoc attack did not exploit any vulnerability in OpenClaw itself. It exploited the trust model of the ClawHub marketplace. When operators install skills without reviewing source code, the entire value of code signing and hash verification is bypassed.
The 15% patch rate within two weeks of the February CVEs meant that 85% of deployments remained vulnerable when the March avalanche hit. The OpenClaw community needs better tooling for automatic updates or at minimum automatic security notifications.
OpenClaw is safe to use if you update to the latest patched version, audit all installed skills against known malicious hashes, and follow the 3-tier security hardening framework. The CVEs disclosed in March-April 2026 have all been patched in subsequent releases. The risk comes from running outdated versions or installing unverified skills from ClawHub without reviewing source code.
Security researchers identified 135,000 OpenClaw instances exposed directly to the internet across 82 countries, according to reports from ARMO and DigitalOcean security teams. These instances had their gateway ports open without authentication, making them vulnerable to remote code execution via the disclosed CVEs. The actual number may be higher, as some instances use non-standard ports not covered by the scan.
ClawHavoc was a coordinated supply-chain attack that planted 1,184+ malicious skills on ClawHub using typosquatted names that mimicked popular legitimate skills. The malicious skills contained hidden credential theft routines, data exfiltration scripts, and in some cases cryptocurrency mining payloads. At its peak, approximately 12% of the ClawHub marketplace was compromised before the cleanup operation began.