Reference / OpenClaw

OpenClaw Security — CVEs, Hardening, and Version Guidance

OpenClaw is a powerful platform for deploying AI agents. It is also a platform with a real security history that operators need to take seriously. This page tracks known vulnerabilities, provides a hardening checklist, and documents the version thresholds that matter.

This is maintained by an operator who runs OpenClaw in production daily — not a security vendor selling fear.

Current safe version floor

2026.3.12 or newer covers the full documented vulnerability cluster through March 2026. If you are running anything older, check the CVE list below and update.

Do not rely on memory. Check the running version: look at the gateway process, the systemd service, or the Control UI version display. Managed hosting does not automatically mean patched.

Known CVE tracker

CVE-2026-28446 — Voice Extension Remote Code Execution

• Severity: Critical
• Impact: Unauthenticated remote code execution on the host
• Condition: Voice-call extension installed
• Patched in: 2026.2.1
• Action: Update or remove the voice extension immediately

CVE-2026-25253 — One-Click Token Theft to Full Admin Access

• Severity: Critical
• Impact: Malicious URL leaks auth token, attacker gains full gateway control, can disable approval prompts
• Condition: User clicks a crafted link while Control UI is active
• Patched in: 2026.1.29
• Action: Update and rotate gateway auth tokens

CVE-2026-32013 — Symlink Traversal Past Workspace Boundary

• Severity: High
• Impact: Agent creates symlink inside workspace pointing to sensitive host files; platform treats it as in-workspace
• Condition: Agent has file write access (most agents do)
• Patched in: 2026.2.25
• Action: Update; audit workspace directories for unexpected symlinks

CVE-2026-28460 — Allowlist Bypass via Shell Line Continuation

• Severity: High
• Impact: Command allowlist enforcement bypassed through argument tricks
• Condition: Allowlist-based command restrictions in use
• Patched in: 2026.2.22
• Action: Update; do not rely solely on allowlists for security

ClawJacked — Localhost WebSocket Exposure

• Severity: High
• Impact: Malicious webpage opens WebSocket to localhost gateway; browser-side JavaScript interacts with agent runtime
• Condition: Gateway running on localhost while operator browses the web
• Patched in: 2026.2.x line (major chain addressed by 2026.2.25)
• Action: Update; do not assume localhost means safe

ClawHub Supply Chain — Malicious Skills

• Severity: Variable (depends on installed skills)
• Impact: Credential theft, data exfiltration, workflow manipulation through marketplace-installed skills
• Condition: Any skill installed from ClawHub without source review
• Patched in: Ongoing (platform-level improvements in progress; operator diligence required)
• Action: Audit every installed skill; review source code before installing; treat skill installs as granting full agent-level permissions

Hardening checklist

This is the minimum security configuration for any OpenClaw deployment running in production.

Platform level

• Running version 2026.3.12 or newer
• Gateway not exposed to public internet (bind to localhost or private network)
• Auth tokens rotated after any suspected exposure
• Approval prompts enabled for destructive actions
• All installed skills audited — source reviewed, permissions understood

Per-agent level

• Each agent has its own API keys and credentials (no shared keys)
• Tool access scoped to function (content agents cannot access payment tools, payment agents cannot access publishing tools)
• File access limited to designated workspace directories
• Subagent spawning restricted to explicitly configured agent pairs
• Command allowlists in place where shell access is needed (with awareness of CVE-2026-28460 bypass history)

Monitoring level

• All external actions logged (API calls, emails, file writes, deployments)
• Cron jobs monitored for silent failures (check for absence of output, not just presence of errors)
• Session files retained for post-incident analysis
• Alert on unexpected tool usage or out-of-scope actions

Credential management

• Per-agent credential isolation (separate OAuth tokens, API keys, service accounts)
• Credential rotation on a defined schedule
• Decommissioned agents have all credentials revoked
• No admin-level credentials granted to agents that do not require them

Common mistakes operators make

Assuming localhost is safe. ClawJacked proved it is not. If your gateway listens on localhost and you browse the web on the same machine, you have an attack surface.

Trusting the workspace boundary. CVE-2026-32013 showed that symlinks bypass workspace path checks. The workspace is a convenience boundary, not a security boundary, on unpatched versions.

Installing skills without reviewing source. ClawHub skills execute with your agent's full permissions. A malicious skill is not a bad plugin — it is a privileged execution path inside your system.

Running allowlists as your only defense. CVE-2026-28460 demonstrated that allowlist enforcement can be bypassed. Allowlists are a useful layer, not a sufficient one.

Granting admin access “for now.” There is no temporary in production. Permissions granted today persist until someone explicitly revokes them — and in most deployments, nobody does.

Not checking the actual running version. Operators frequently believe they are running a newer version than they actually are. Check the process, not the download folder.