In the last week of January 2026, OpenClaw gained 25,000 GitHub stars in a single day and became one of the fastest-growing open-source projects in GitHub history. By mid-February, it had a critical one-click RCE vulnerability, a poisoned skills marketplace, and over 135,000 instances exposed on the public internet, many of them running with no authentication whatsoever.
OpenClaw is an open-source AI agent that connects to messaging apps like WhatsApp, Telegram, Slack, and Discord and autonomously acts on a user’s behalf: sending emails, running terminal commands, managing files, browsing the web, and controlling whatever services the user has linked to it. It runs locally, stores memory across sessions, and can be extended through “skills,” modular packages published to ClawHub, its community marketplace. Originally released in November 2025 as Clawdbot, it was rebranded twice before settling on its current name.
The tool’s appeal is straightforward: a persistent AI assistant that actually does things rather than just answering questions. That same quality, broad system access with minimal friction, is also what made it such an attractive target once enough people were running it.
The Core Vulnerability: CVE-2026-25253
The most critical flaw found was CVE-2026-25253, rated CVSS 8.8: a token exfiltration vulnerability that leads to full gateway compromise.
OpenClaw incorrectly assumed that any connection originating from localhost could be implicitly trusted, without accounting for the fact that websites can also originate connections from that same local address. If a user visited an attacker-controlled page, JavaScript on that page could silently open a WebSocket connection to the OpenClaw gateway, steal the authentication token, and use it to take full administrative control of the instance. From there, an attacker could disable user confirmation prompts, escape the Docker sandbox, and run arbitrary commands directly on the host machine.
The flaw was exploitable even on localhost-bound instances, since the victim’s browser initiates the outbound connection. A patch landed in version 2026.1.29 on January 29, 2026, less than 24 hours after the initial report. A second, related disclosure by Oasis Security (codenamed ClawJacked and also tracked as CVE-2026-25253) was separately patched in version 2026.2.25 on February 26, 2026, again within 24 hours of responsible disclosure.
On the same day as the patch, two additional command injection vulnerabilities were disclosed, and a broader security audit identified 512 vulnerabilities in total, eight of them critical. Here’s a breakdown of what was on that list:
- CVE-2026-25253 (CVSS 8.8): One-click RCE via WebSocket hijacking and token exfiltration, exploitable even on localhost-bound instances. Patched in v2026.1.29.
- CVE-2026-24763 and CVE-2026-25157: Two high-severity command injection vulnerabilities disclosed alongside the patch.
- No rate limiting on authentication attempts: Attackers could brute-force gateway passwords without triggering any lockout or alert.
- No WebSocket origin validation: The server accepted connections from any website, which is what made the CVE-2026-25253 exploit chain possible.
- Authentication disabled by default: A standard install with no additional hardening left the gateway openly accessible.
ClawHavoc: The Supply Chain Campaign
Running alongside the vulnerability disclosures was a coordinated supply chain attack against ClawHub that researchers named ClawHavoc.
Koi Security audited all 2,857 skills on ClawHub and found 341 malicious entries, with 335 traced to a single coordinated operation based on shared tactics and infrastructure. The attack relied on social engineering: malicious skills were disguised as legitimate tools, with fake prerequisite instructions prompting users to paste terminal commands or download files from attacker-controlled servers.
On macOS, payloads tied to the Atomic macOS Stealer collected browser credentials, keychains, SSH keys, and crypto wallets and sent them to attacker infrastructure. Windows users were hit with reverse shells and staged malware downloads.
As ClawHub’s registry grew, so did the infection rate. By March 1, 2026, over 1,184 confirmed malicious skills existed across more than 10,700 total packages.
Skills run with the full permissions of the agent, which typically include terminal access, full disk access, and OAuth tokens for connected services. That makes a skills marketplace a very high-value target, and one that deserves the same scrutiny as any other software supply chain.
Exposed at Scale
SecurityScorecard identified more than 135,000 publicly exposed OpenClaw instances across 82 countries. Of those, over 50,000 were exploitable via RCE, and more than 53,000 were correlated with prior breach activity.
Authentication is disabled out of the box, the server accepts WebSocket connections without verifying their origin, and there’s no rate limiting on login attempts. A user who installs OpenClaw and doesn’t go looking for hardening guides ends up with all of that by default.
Why Enterprise Teams Should Care
This might look like a problem confined to developers running personal AI assistants at home. Bitdefender’s enterprise telemetry showed employees deploying OpenClaw directly onto corporate machines using single-line install commands, granting the tool broad terminal and disk access without IT’s knowledge. Separately, 22% of enterprise customers surveyed by Token Security had employees actively using the tool, likely without authorization.
An AI agent with terminal access and OAuth tokens for half a dozen connected services is a particularly high-stakes form of shadow IT. A compromised instance on a developer’s machine can expose API keys, SSH credentials, and access to production systems, given that the agent runs across email, calendars, file systems, and every connected service the user has linked to it.
What To Do
If OpenClaw is running anywhere in your environment, the immediate priority is getting to version 2026.2.26 or later, since anything earlier remains vulnerable to at least one critical CVE. Any skills installed from ClawHub before mid-February 2026 should be treated as untrusted until verified.
For IT and security teams, this is a good time to check endpoint inventory for OpenClaw and its former names (Moltbot, Clawdbot). If it’s running on corporate machines without authorization, treat it the same as any other unauthorized software with system-level access: remove it and review what it may have touched.
OpenClaw is an early and visible example of a category of tools that will only become more common. Agentic AI with broad system permissions, community-built extensions, and minimal default security controls is a pattern that will repeat itself, and the security questions it raises around privilege, supply chain trust, and shadow adoption will come up again with the next viral AI tool, and the one after that.
