Two new CVEs targeting OpenClaw were published on March 19, less than 24 hours after four other CVEs hit the framework in a single day. Combined with a Kaspersky audit that found 512 security issues across the OpenClaw codebase, the disclosures paint a picture of a framework whose adoption has far outpaced its security hardening.

The New CVEs

CVE-2026-32013 targets a symlink traversal vulnerability in OpenClaw’s agents.files.get and agents.files.set methods. An attacker can exploit symlinked allowlisted files to read and write arbitrary files on the host system, within the permissions of the gateway process. The CVSS v3.1 score is 8.8 (HIGH), with network attack vector, low complexity, and low privileges required. RedPacket Security’s assessment: “priority 1” for patching.

CVE-2026-32014 addresses a metadata spoofing vulnerability in device authentication. The platform and deviceFamily fields sent during reconnect are accepted from the client without being bound into the device-auth signature. An attacker with a paired node identity on the trusted network can spoof these fields to bypass platform-based command policies and access restricted commands. CVSS v3.1: 8.0 (HIGH), with adjacent network attack vector.

Both CVEs affect versions prior to 2026.2.25 and 2026.2.26 respectively. Patch guidance across all advisories: upgrade to OpenClaw 2026.3.2 or later.

The Kaspersky Audit

A Comparitech security analysis published March 19 cited a Kaspersky audit of OpenClaw that found 512 security issues in total, with eight classified as critical. The piece characterizes OpenClaw as “definitely not for non-technical users” and recommends sandboxed environments with limited permissions for any deployment.

Separately, the Comparitech report references the Oasis Security disclosure of CVE-2026-25253, which allows malicious websites to interact with an OpenClaw agent and steal files or read Slack messages.

Six CVEs in 48 Hours

The tally for this week alone: CVE-2026-28461 (denial of service via Zalo webhook), CVE-2026-31992 (allowlist bypass in system.run), CVE-2026-31998 (Synology-chat authorization bypass), CVE-2026-31994 (session token exposure), CVE-2026-32013 (symlink traversal for arbitrary file access), and CVE-2026-32014 (device-auth metadata spoofing). All six were published between March 19 and March 20.

The pau1.substack OpenClaw newsletter summarized the severity on March 20: “The flaw allowed attackers to use symbolic links to trick OpenClaw into reading files outside of its assigned directory—potentially exposing system keys and personal data.”

What This Means for Deployers

OpenClaw is experiencing the security growing pains that come with going from a niche developer tool to a framework that Jensen Huang compared to Linux at GTC 2026. The difference: Linux had years of security hardening before widespread enterprise adoption. OpenClaw is getting its Kaspersky audit and its CVE cluster in the same week it hit mainstream consciousness.

Teams running OpenClaw in production should upgrade to 2026.3.2 immediately, audit their workspace permissions, and verify that no symlinks exist in agent-accessible directories. The metadata spoofing vulnerability (CVE-2026-32014) is particularly relevant for deployments with multiple paired nodes on shared networks, which describes most enterprise setups.

The patch cycle is accelerating, but so is the attack surface.