AI Agent Security: OpenClaw-Specific — CVEs, Defaults, and What to Fix

This is Part 3 of the AI agent security series. Part 1 covered the threat landscape. Part 2 covered practical hardening. Part 3 is about OpenClaw specifically — the known CVEs, the defaults that create risk, and the concrete version thresholds that matter.

TL;DR: OpenClaw has a compressed cluster of critical and high-severity CVEs. The minimum safe version is 2026.3.12. Key vulnerabilities include unauthenticated RCE via the voice extension, one-click token theft to full admin access, symlink traversal past workspace boundaries, and allowlist bypass. The ClawHub marketplace has documented malicious skills with credential-theft payloads. Check your running version now.

I use OpenClaw. This is not an outsider critique. It is a builder/operator view of what the platform enables, where the risk has shown up, and what needs to be fixed fast if you run it in production.

What vulnerabilities has OpenClaw disclosed?

OpenClaw has accumulated a compressed series of critical and high-severity vulnerabilities. Most were patched quickly. That matters — but only if you are actually running the patched version.

CVE-2026-28446 — Voice Extension Remote Code Execution

If you had the voice-call extension installed on versions before 2026.2.1, a remote unauthenticated attacker could execute arbitrary code on your host.

That is near-worst-case severity:

• no authentication required
• no user interaction required
• direct host impact

If voice features are enabled anywhere in your stack, this is the first version threshold to confirm.

CVE-2026-25253 — One-Click Token Theft to Full Admin Access

This is the kind of bug operators underestimate because it starts with something small: a link.

The attack chain described a malicious URL that manipulates the gateway URL. One click causes the OpenClaw Control UI to connect back to an attacker-controlled server and leak the auth token. From there, the attacker can reach the gateway, disable approval prompts, escape intended containment, and gain administrative control.

The practical meaning is simple: if your token is exposed, your approvals and runtime protections are no longer trustworthy. Everything behind that token becomes reachable.

Patched in 2026.1.29.

CVE-2026-32013 — Symlink Traversal and the Workspace Boundary Problem

Many operators assume the workspace is a real security boundary. On vulnerable versions, that assumption breaks.

The underlying issue: file methods do not resolve symlinks before checking access. That means a file path inside the workspace can point outside the workspace and still be read or written through the agent tooling.

The plain-language version:

• an agent creates a symlink inside the workspace
• that symlink points to a sensitive host file
• the platform treats it like an in-workspace file
• the agent reads or writes it through normal file APIs

That is how a soft boundary turns into a host-level exposure.

Patched in 2026.2.25.

ClawJacked — Localhost Is Not a Safety Boundary

A lot of operators think localhost means safe. It does not.

The ClawJacked disclosure showed that a malicious webpage can open a WebSocket connection to localhost. If the local OpenClaw gateway is reachable there, browser-side JavaScript can interact with it in ways most operators never modeled.

That matters because people routinely:

• browse while local agent runtimes are active
• assume their browser origin protections cover localhost sockets
• assume local-only exposure is functionally private

It is not.

A companion issue allowed prompt-injection-style log poisoning through exposed logging paths. That turns your own logs into a control surface.

Patched in the 2026.2.x line, with the major local exploit chain addressed by 2026.2.25.

CVE-2026-28460 — Allowlist Bypass

This is the dangerous kind of bug because it undermines a control operators believe is protecting them.

If you set an allowlist of permitted commands, you are making an architectural decision about runtime safety. A bypass means the policy exists, but the enforcement boundary is weaker than you think.

This CVE allowed shell line-continuation tricks inside arguments to bypass the allowlist behavior on affected versions.

Translation: the control was present, but the attack surface still leaked through it.

Patched in 2026.2.22.

Are ClawHub skills safe to install?

This is the other major OpenClaw-specific risk surface: extensions and skills.

Security reporting found a large cluster of malicious skills in the broader ClawHub ecosystem, including credential-theft payloads. The important point is not the exact count. The important point is that a marketplace entry can become untrusted code execution with the same credentials and tool access your agent already has.

That means a malicious skill is not just a bad plugin. It is a privileged execution path.

Treat every skill install as if you are granting:

• file access
• credential-adjacent execution
• workflow influence
• persistence inside your agent environment

Because in effect, you are.

How many OpenClaw instances are exposed?

The raw numbers matter because they change the threat model.

OpenClaw has been measured at internet scale:

• tens of thousands of publicly exposed instances
• thousands confirmed vulnerable to remote code execution in disclosed windows
• the majority running on cloud providers, not isolated hobby setups

At that size, you are no longer dealing with obscure edge-case risk. You are dealing with a platform that attackers can scan for systematically.

This is why government advisories and enterprise restrictions started showing up. Once exposure becomes measurable at scale, response shifts from community concern to institutional concern.

What version should I be running?

If you are operating OpenClaw in production, the practical baseline is straightforward:

• 2026.3.12 or newer is the safer floor for the full documented cluster
• 2026.2.25 minimum if you are checking for coverage across the major critical issues in the 2026.2.x line

Anything older deserves scrutiny immediately.

Do not rely on memory for this. Check the running version. Check the managed image version. Check the actual deployed runtime.

Managed does not automatically mean patched.

Key Takeaways

• The minimum safe OpenClaw version is 2026.3.12 as of March 2026
• CVE-2026-28446 allows unauthenticated remote code execution via the voice extension on versions before 2026.2.1
• Workspace boundaries can be bypassed via symlink traversal on versions before 2026.2.25
• ClawHub marketplace skills execute with full agent permissions — treat every install as a trust decision
• Localhost is not a security boundary — the ClawJacked disclosure demonstrated browser-to-gateway WebSocket attacks

What Builders Should Actually Do

If you are building on OpenClaw right now:

1. Pin versions and update intentionally. Fast-moving platforms create moving risk surfaces.
2. Audit every installed skill. Marketplace convenience is not a security review.
3. Apply the Part 2 controls anyway. Per-agent credentials, scoped keys, tool allowlists, subagent restrictions, and monitoring still reduce blast radius even when a new CVE lands.
4. Stop trusting assumptions. Localhost is not automatically safe. Workspace is not automatically isolated. Allowlists are not automatically sufficient. Boundaries need verification, not intuition.
5. Watch the compliance direction. NIST and adjacent policy work on agentic systems signals where formal security expectations are heading.

The Bottom Line

OpenClaw is worth building on. It is also a platform that now has a real enough security history that builders need to operate it like infrastructure, not like a toy.

That means:

• version discipline
• supply-chain skepticism
• scoped permissions
• monitoring
• explicit blast-radius control

The platform can be powerful and still require hard operational discipline. In production, both statements are true at the same time.