OpenClaw patched nine CVEs between late January and early February 2026 after security researchers found 135,000 instances of the AI agent framework running on publicly accessible IP addresses across 82 countries. More than 15,000 of those instances were directly exploitable via CVE-2026-25253, a CVSS 8.8 remote code execution flaw that allowed one-click system compromise through a WebSocket origin validation gap. A detailed post-mortem published on DEV Community on April 6 called it “the first major AI agent security crisis of 2026.”
The Attack Chain
The most severe vulnerability, CVE-2026-25253, exploited a specific design flaw: OpenClaw’s control UI read a gatewayUrl parameter from the query string without validation and auto-connected on page load, sending the stored gateway authentication token in the WebSocket payload. The WebSocket server did not validate the origin header. An attacker could host a malicious webpage, trick a user into visiting it, and receive the token within milliseconds.
With the token, an attacker could disable user confirmation prompts by setting exec.approvals.set to off, escape container restrictions by switching tools.exec.host to gateway, and achieve arbitrary code execution on the host machine. According to the post-mortem, which cited Oasis Security’s disclosure, the entire attack chain ran in milliseconds.
OpenClaw patched CVE-2026-25253 in version 2026.1.29, released January 30. Eight additional CVEs followed over the next four days, including command injection (CVE-2026-24763), server-side request forgery in the gateway (CVE-2026-26322, CVSS 7.6), and path traversal in the browser upload component (CVE-2026-26329). The initial audit identified 512 total vulnerabilities, with eight classified as critical.
The Marketplace Problem
Separately, an audit of the ClawHub skill marketplace found 341 of 2,857 listed skills were malicious at the time of review — 12% of the entire registry. The post-mortem framed the skill marketplace as a supply-chain attack vector comparable to compromised npm packages or PyPI libraries: third-party code running with the agent’s full permissions and credentials.
The Architectural Pattern
The post-mortem argued the findings are not OpenClaw-specific. Any AI agent with persistent credentials, autonomous execution, and deep integrations into messaging, email, calendar, and shell access carries the same category of risk. The author, who described deploying 109 production AI systems across industries, noted that organizations consistently treat AI agent security the same way they treat web application security. The difference: a web application has a defined interface with bounded scope, while an AI agent processes untrusted instructions through the same channel as ordinary content at runtime.
CrowdStrike’s analysis of OpenClaw, referenced in the post-mortem, described prompt injection as transforming “from a content manipulation issue into a full-scale breach enabler, where the blast radius extends to every system and tool the agent can reach.”
Patch Status and Builder Checklist
All nine CVEs have been patched. The critical action for operators: update to the latest OpenClaw release, verify that instances are not exposed on public IP addresses, validate origin headers on WebSocket connections, and audit any ClawHub skills installed before the marketplace review. The post-mortem noted that the difference between a safe deployment and an exposed one comes down to four configuration choices — none of which are enabled by default.