When security researchers at OASIS Security, Koi Security, and SecurityScorecard began pulling at threads in early February 2026, what they found was worse than a single bug. The OpenClaw open-source AI agent platform had a cascade of problems: a one-click remote code execution vulnerability, tens of thousands of misconfigured instances exposed to the internet, and a marketplace for agent skills that had been quietly seeded with malware. Taken together, it paints one of the most complete pictures yet of what goes wrong when agentic AI platforms grow faster than their security posture.
This isn’t a theoretical risk. OpenClaw agents run with full system access — file operations, shell execution, OAuth token handling. A compromised instance doesn’t just leak data; it hands an attacker the keys to everything the agent can touch.
The One-Click RCE That Started It All #
CVE-2026-25253 carries a CVSS score of 8.8, and the attack is embarrassingly simple. OpenClaw’s Control UI accepts a gatewayUrl parameter without restriction, and its WebSocket connections perform no origin validation. That combination means an attacker can host a webpage containing JavaScript that connects to a victim’s locally running OpenClaw instance — typically at ws://localhost:18789 — and silently exfiltrates the authentication token.
Here’s what makes this particularly dangerous: WebSocket connections aren’t subject to the same cross-origin resource sharing (CORS) protections that guard HTTP requests. Browsers enforce CORS on fetch and XMLHttpRequest calls, but WebSocket handshakes sail right through. The OpenClaw developers apparently didn’t account for this, leaving the authentication token exposed to any webpage the user visits.
Once an attacker has that token, they have the same access the agent does. On most deployments, that means full shell execution, file system access, and the ability to read any credentials the agent has stored. According to SonicWall’s analysis, the entire chain — from victim clicking a link to attacker achieving remote code execution — requires no user interaction beyond that initial click.
A patch landed in version 2026.1.29, released shortly before public disclosure on February 3, 2026. But patching only helps the instances that get updated.
40,000 Instances, Most of Them Sitting Ducks #
Internet scanning revealed 40,214 OpenClaw instances directly reachable from the public internet as of February 2026. The numbers vary by source — SecurityScorecard flagged 35.4% of deployments as vulnerable, while Infosecurity Magazine put the figure at 63%. Even the conservative estimate means roughly 14,000 machines were one malicious link away from full compromise. The higher figure pushes that past 25,000.
The default configuration is part of the problem. OpenClaw ships in a state that works out of the box but isn’t hardened for production. Security teams dealing with this should recognize the pattern: it’s the same dynamic that plagued Elasticsearch, MongoDB, and Redis deployments years ago. Convenience defaults optimized for developer experience get pushed to production without anyone tightening the configuration.
What makes OpenClaw worse than an exposed database is the blast radius of a compromised AI agent. A leaked Elasticsearch cluster exposes data. A compromised OpenClaw instance exposes data and provides an execution environment — the attacker doesn’t need to establish persistence or move laterally, because the agent already has the access and the tools to act on their behalf. This dynamic mirrors what we covered in our look at AI agent hijacking attacks, where autonomous systems become force multipliers for attackers.
The shadow IT angle compounds everything. According to Barracuda Networks, employees are connecting OpenClaw instances to corporate SaaS applications, creating lateral movement paths through OAuth tokens that security teams don’t even know exist. There’s no centralized kill switch — no way for an organization to discover and shut down every OpenClaw instance running across its environment.
ClawHub: When the Marketplace Becomes the Attack Surface #
The skill marketplace is where the OpenClaw crisis goes from a patching problem to a supply chain problem.
ClawHub, OpenClaw’s official marketplace for agent skills, had accumulated 2,857 skills by early February 2026. When Koi Security and Trend Micro audited the catalog, they found 341 of those skills were malicious — about 12% of the entire marketplace. Of those, 335 were linked to a single coordinated campaign that researchers named ClawHavoc.
The scale grew fast. As the marketplace expanded past 10,700 skills by mid-February, the number of identified malicious entries climbed to 824 across roughly 25 distinct attack types. The techniques ranged from credential-stealing keyloggers to a variant of the Atomic macOS Stealer (AMOS) distributed through innocent-looking skills. Some skills performed their advertised function while quietly running malicious payloads in the background — the classic trojanized package approach that’s been so effective in supply chain attacks on package registries.
This is the fundamental tension with agent skill marketplaces: they’re designed to extend what an AI agent can do, which necessarily means granting third-party code access to the agent’s capabilities. And OpenClaw agents run with high privileges by default. A skill that asks for file system access or shell execution isn’t raising red flags — those are standard agent operations.
Why Traditional Vetting Falls Short #
App store-style review processes catch obvious malware, but the ClawHavoc campaign demonstrated more sophisticated evasion. Some malicious skills used prompt injection techniques to manipulate the agent’s behavior without containing overtly suspicious code. Others leveraged OpenClaw’s persistent memory feature to maintain a foothold across sessions — the skill writes instructions into the agent’s memory during the first run, and those instructions execute on subsequent interactions even after the skill is removed.
This is a genuinely new attack surface. Traditional code review looks for malicious functions, shellcode, and suspicious network calls. When the attack vector is a natural language instruction planted in an agent’s memory, static analysis tools won’t flag it. For a deeper look at how prompt manipulation creates execution paths in AI systems, our piece on prompt injection attacks covers the underlying mechanics.
The Full CVE Roster #
CVE-2026-25253 grabbed the headlines, but it’s one of at least five CVEs disclosed in the same window:
- CVE-2026-25253 — Authentication token leakage via malicious gateway (CVSS 8.8)
- CVE-2026-24763 — Command injection
- CVE-2026-26322 — Server-side request forgery (SSRF)
- CVE-2026-26329 — Path traversal / local file exposure
- CVE-2026-30741 — Prompt injection-driven code execution
That last one deserves attention. CVE-2026-30741 represents a class of vulnerability specific to agentic AI: an attacker crafts input that tricks the agent into executing code through its normal tool-use capabilities. It’s not a buffer overflow or an injection into a query language — it’s the AI being manipulated into voluntarily running malicious commands.
The cluster of CVEs suggests that OpenClaw’s security received limited attention during its rapid growth phase. Five distinct vulnerability classes in a single disclosure cycle points to systemic issues, not isolated mistakes.
What Organizations Should Do Now #
Responding to the OpenClaw situation requires action on multiple fronts, and the urgency depends on whether you’re running OpenClaw intentionally or whether it showed up in your environment without approval.
Inventory first. Scan for OpenClaw instances across your network. Look for the default port (18789) and the WebSocket traffic patterns associated with the Control UI. Don’t assume IT provisioned every instance — the shadow AI problem means developers and business users may have deployed agents without going through official channels.
Patch or isolate. Every instance running a version prior to 2026.1.29 needs to be updated or taken offline. If you can’t patch immediately, restrict network access so the instance isn’t reachable from the internet and block outbound WebSocket connections from untrusted origins.
Audit installed skills. Review every skill installed from ClawHub against the known indicators of compromise published by Koi Security and Trend Micro. Pay special attention to skills that request file system access, shell execution, or network permissions beyond what their stated function requires.
Inspect agent memory. The persistent memory exploitation technique used by ClawHavoc means removing a malicious skill isn’t enough. Check the agent’s stored memory for injected instructions or suspicious entries that could trigger malicious behavior in future sessions.
Restrict agent permissions. The principle of least privilege applies to AI agents just as much as it does to human user accounts. An agent that drafts emails doesn’t need shell access. An agent that summarizes documents doesn’t need to make network calls. OpenClaw’s default permission model is too permissive for production use.
Key Takeaways #
- CVE-2026-25253 enabled one-click remote code execution against OpenClaw instances through a WebSocket origin validation failure — a patch is available in version 2026.1.29, but thousands of instances remain unpatched.
- Over 40,000 internet-exposed OpenClaw instances were discovered, with between 35% and 63% assessed as vulnerable to remote exploitation depending on the methodology.
- The ClawHavoc campaign planted 824 malicious skills in the ClawHub marketplace, including credential stealers, keyloggers, and an AMOS variant — making it one of the largest coordinated supply chain attacks against an AI platform.
- Persistent memory exploitation allows malicious skills to maintain a foothold even after removal, creating a novel persistence mechanism specific to agentic AI.
- Five CVEs across distinct vulnerability classes suggest systemic security gaps in OpenClaw’s architecture, not isolated bugs.
- Shadow deployment of AI agents by employees creates attack surface that security teams can’t defend if they don’t know it exists — inventory is the first step.
Frequently Asked Questions #
What is the OpenClaw security vulnerability CVE-2026-25253? #
CVE-2026-25253 is a critical vulnerability (CVSS 8.8) in OpenClaw that allows one-click remote code execution. An attacker hosts a malicious webpage that, when visited by the victim, exploits missing WebSocket origin validation to steal the victim’s authentication token and gain full system access.
How many OpenClaw instances were exposed to the internet? #
Researchers found over 40,000 internet-facing OpenClaw instances as of February 2026. Of those, 63% were assessed as vulnerable to remote exploitation, putting roughly 25,000 machines at immediate risk of compromise.
What is the ClawHavoc campaign targeting OpenClaw? #
ClawHavoc is a coordinated attack campaign that planted hundreds of malicious skills in the ClawHub marketplace. An initial audit found 341 malicious entries out of 2,857 total skills, and that number climbed to 824 as the marketplace grew past 10,700 skills.
Sources & References #
- SonicWall — OpenClaw Auth Token Theft Leading to RCE — Technical analysis of CVE-2026-25253 attack chain and WebSocket exploitation
- NVD — CVE-2026-25253 — Official vulnerability listing with CVSS scoring and affected versions
- SOCRadar — CVE-2026-25253: 1-Click RCE in OpenClaw — Disclosure timeline and exploitation details
- Hunt.io — Hunting OpenClaw Exposures — Internet scanning data on exposed OpenClaw instances
- Barracuda Networks — OpenClaw Security Risks in Agentic AI — Analysis of shadow AI risks and enterprise exposure from OpenClaw deployments
- Sangfor — OpenClaw AI Agent Security Risks 2026 — ClawHub marketplace audit findings, ClawHavoc campaign details, and full CVE roster
