OpenClaw Security Issues: Everything That’s Wrong (and How to Fix It)

OpenClaw is one of the most popular open-source AI agents on GitHub, with over 267K stars and a passionate community. It does real things on your machine: automates workflows, manages files, browses the web, and connects to 20+ messaging platforms.

It is also, out of the box, a security incident waiting to happen.

This is not a hit piece. OpenClaw is a genuinely useful tool, and its openness is a strength. But that openness comes with real risks that the project's documentation glosses over or buries in footnotes. If you are running OpenClaw on a VPS, on your home network, or anywhere that touches real data, you need to understand what you are exposing.

This article covers every major security issue in OpenClaw as of early 2026, with specific fixes for each one. If you are already running it, skip to the hardening checklist. If you are evaluating it, read everything.

For setup and cost context, see the Cost Breakdown and the VPS Self-Hosting Guide.

CVE-2026-25253: Remote Code Execution via Canvas Host

The most serious vulnerability disclosed so far. CVE-2026-25253 (CVSS 8.8) is a one-click remote code execution via gatewayUrl WebSocket token exfiltration. It was patched on January 29, 2026, in version 2026.1.29.

What happens: An attacker crafts a malicious gatewayUrl that exfiltrates WebSocket tokens, giving them full remote code execution on the host machine. If your instance is reachable from the network (which it is by default, more on that below), any attacker who can send requests to the port gets code execution with a single click.

Severity: High (CVSS 8.8). One click required from the user.

Affected versions: All versions before 2026.1.29.

The fix: Update to 2026.1.29 or later. If you cannot update immediately, disable Canvas Host entirely with OPENCLAW_CANVAS_ENABLED=false.

But CVE-2026-25253 is not the only critical vulnerability. Here are the other CVEs disclosed in early 2026:

• CVE-2026-24763 (CVSS 8.8): Docker sandbox bypass with command injection via PATH manipulation. Patched in 2026.1.30.
• CVE-2026-33579 (CVSS 8.1-9.8): Privilege escalation via /pair approve, allowing pairing-scope access to escalate to full admin. Patched in 2026.3.28.
• CVE-2026-26327 (CVSS 7.1): Auth bypass on untrusted LANs via rogue service advertisements. Patched.
• CVE-2026-28478 (CVSS 8.7): Denial-of-service via unbounded webhook buffering. Patched in 2026.3.x.

Five high-severity CVEs in under three months. That alone should be enough to make you audit your setup. But it gets worse when combined with the next issue.

The 0.0.0.0 Binding Problem

By default, OpenClaw's Canvas Host binds to 0.0.0.0:3100. That means it listens on every network interface on your machine: localhost, your LAN IP, your public IP if you have one, Docker bridge networks, VPN interfaces, everything.

For a development tool running on your laptop, this is already bad. Any device on your local network can reach the Canvas Host. For a VPS deployment, it is catastrophic. Your Canvas Host is reachable by anyone on the internet.

The OpenClaw docs mention this in a single line in the advanced configuration section. There is no warning during installation. The default .env.example ships with CANVAS_HOST=0.0.0.0.

Why this matters

The Canvas Host is not just a display layer. It accepts skill payloads, renders them, and in pre-patch versions, can execute code. Combined with CVE-2026-25253, a publicly bound Canvas Host is an open door for remote code execution.

Even after the CVE patch, binding to 0.0.0.0 means:

• Your Canvas Host is exposed to network scanning
• Any future Canvas Host vulnerability is immediately exploitable
• Skill output (which may contain sensitive data) is viewable by anyone who can reach the port

The fix

Change the bind address to 127.0.0.1 in your environment:

CANVAS_HOST=127.0.0.1
CANVAS_PORT=3100

If you need remote access to the Canvas Host (for example, accessing it from a different machine), use an SSH tunnel or a reverse proxy with authentication. Never expose the port directly.

ClawHub Skills: A Supply Chain Attack Waiting to Happen

ClawHub is OpenClaw's community skill marketplace. Think of it like npm or PyPI, but for AI agent capabilities. Users publish skills that add new abilities to OpenClaw: API integrations, automation workflows, data processing pipelines, and more.

The problem: there is no security review process. Anyone can publish a skill. Skills execute with the same permissions as the OpenClaw process, which typically means full user-level access to your filesystem, network, and any connected services.

This is not a theoretical risk. It already happened.

For a deeper look at ClawHub-specific risks, see ClawHub Skills Security.

The ClawHavoc campaign (January 27-29, 2026)

On January 27-29, 2026, a single threat actor uploaded 341 malicious skills to ClawHub in an attack dubbed "ClawHavoc" by Koi Security. These skills delivered keyloggers and Atomic Stealer malware to anyone who installed them. At the time, those 341 skills represented roughly 12% of all ClawHub packages.

Later audits found 820+ additional malicious skills. A broader analysis of ClawHub's full catalog (~31,000 skills) found that 7.6% (2,371 skills) contained dangerous patterns, including credential exfiltration, reverse shells, and obfuscated payloads.

Even "top downloaded" skills were later flagged as malware. Ranking manipulation allowed a malicious skill to reach the #1 position. Typosquatting variants (clawhub1, cllawhub) were also documented.

VirusTotal hash checks were added after the incident, but malicious uploads still appear.

What a malicious skill can do

• Read and exfiltrate any file your user account can access
• Install a reverse shell or backdoor
• Modify other installed skills (persistence)
• Access API keys stored in your .env files
• Send data through your connected messaging channels
• Modify OpenClaw's own configuration

The exposure problem

On January 31, 2026, Censys and Bitsight scans revealed 21,639+ OpenClaw instances exposed to the public internet. Later scans found 30,000 to 135,000 distinct exposed instances. US and Alibaba Cloud deployments were most affected. Default installs had the Control UI exposed to the internet with port 18789 often bound to 0.0.0.0 with no authentication.

These exposed instances leaked API keys, OAuth tokens, and chat histories to anyone who found them.

In a separate incident, the Moltbook breach exposed 35,000 emails and 1.5 million agent tokens tied to OpenClaw deployments. Meta reportedly restricted internal OpenClaw use after the February 2026 CVE disclosures.

The fix

1. Read the source code of every skill before installing. With 7.6% of ClawHub skills containing dangerous patterns, you cannot trust downloads blindly.
2. Pin skill versions in your configuration. Never auto-update skills.
3. Run OpenClaw in sandbox mode (OPENCLAW_SANDBOX=true), which restricts filesystem and network access for skills.
4. Audit installed skills regularly. Check for unexpected network calls or file access patterns.
5. Prefer skills from verified publishers when available (ClawHub introduced publisher verification in March 2026, but adoption is still low).

Memory System: Your Diary Is a Liability

OpenClaw's memory system is one of its most appealing features. The agent remembers your preferences, past conversations, and context across sessions by writing Markdown diary files to a local directory (default: ~/.openclaw/memory/).

The security problem is simple: these files are plain text, unencrypted, and contain everything you have ever discussed with the agent.

What is in your memory directory

• Full conversation transcripts
• File contents you asked the agent to read or modify
• API keys and credentials you mentioned in conversation
• Personal information, project details, business context
• System information the agent gathered while working

If you have ever pasted a database connection string into an OpenClaw chat, it is sitting in a Markdown file on your disk. If you asked the agent to help with an .env file, those secrets are in your memory directory.

Who can access it

• Any process running under your user account
• Any ClawHub skill (they run as your user)
• Anyone with SSH access to your machine
• Any backup system that includes your home directory
• If you are on a shared VPS, potentially other users (depending on permissions)

The fix

1. Encrypt the memory directory. Use filesystem-level encryption (LUKS on Linux, FileVault on macOS, or an encrypted container via VeraCrypt).
2. Exclude memory from backups or ensure your backup system encrypts at rest.
3. Never paste secrets into OpenClaw conversations. Use environment variables and reference them by name.
4. Periodically prune the memory directory. Delete old diary files you no longer need.
5. Set restrictive permissions: chmod 700 ~/.openclaw/memory/

Multi-Channel Attack Surface

OpenClaw supports 20+ messaging integrations: WhatsApp, Telegram, Discord, Slack, iMessage, SMS, and more. Each connected channel is an attack surface.

When you connect OpenClaw to a messaging platform, you are giving that platform a direct communication channel to an AI agent that can execute code on your machine. Anyone who can message you on that platform can potentially interact with your agent.

Channel-specific risks

WhatsApp/Telegram: If someone sends a crafted message to your connected number, the agent processes it. Without proper access controls, this means strangers can instruct your agent.

Discord: Server members in any channel where the bot is present can interact with it. If your OpenClaw bot has system access, every Discord server member effectively has access to your machine.

Slack: Similar to Discord, but with workspace-level exposure. Any workspace member who can message the bot can issue commands.

The fix

1. Restrict channel access. Use OpenClaw's allowlist feature to limit which users or channels can interact with the agent: OPENCLAW_ALLOWED_USERS=your_user_id_here
2. Minimize connected channels. Only connect the platforms you actually use. Each additional channel is additional risk.
3. Use read-only mode for channels where you only want to monitor, not act.
4. Disable command execution on public-facing channels. Use OPENCLAW_CHANNEL_SANDBOX=true for any channel that is not strictly private.

For more on how OpenClaw fits into different setups, see the Alibaba Coding Plan Setup Guide and the Coding Plan Troubleshooting Guide.

Other Issues Worth Knowing

No built-in authentication

OpenClaw has no user authentication system. If the web UI or API is reachable, it is usable. There is no login, no API key, no token. This is by design (it is a local-first tool), but it means any network exposure is full exposure.

Update mechanism trust

OpenClaw's self-update mechanism pulls from GitHub releases. While the releases are signed, the update process itself runs with full system permissions. A compromised update (through a supply chain attack on the GitHub repository) would have immediate, complete access.

Logging verbosity

By default, OpenClaw logs at a verbose level that includes conversation content, skill parameters, and API responses. These logs can contain sensitive data and are written to predictable file paths.

Security Hardening Checklist

If you are running OpenClaw, go through this list now:

• Update to v2026.3.28+ to patch all five disclosed CVEs
• Bind Canvas Host to 127.0.0.1 (CANVAS_HOST=127.0.0.1)
• Enable sandbox mode (OPENCLAW_SANDBOX=true)
• Audit all installed ClawHub skills and remove any you did not explicitly choose
• Pin skill versions in your configuration
• Encrypt the memory directory or set permissions to 700
• Never paste secrets into conversations; use env var references
• Restrict messaging channels with user allowlists
• Disable unused channel integrations
• Put OpenClaw behind a reverse proxy with authentication if you need remote access
• Set log level to warn in production (OPENCLAW_LOG_LEVEL=warn)
• Exclude ~/.openclaw/ from unencrypted backups
• Review OpenClaw's GitHub releases page regularly for security advisories

How OpenClaw Compares on Security

Compared to other AI agents and coding tools, OpenClaw occupies an unusual position. It is more powerful than most (full system access, persistent memory, multi-channel), which inherently means a larger attack surface.

Cloud-hosted alternatives like those in our comparison guide handle security at the infrastructure level. You are trusting the provider, but you are not responsible for hardening the deployment yourself. With OpenClaw, the security burden is entirely on you.

That trade-off is worth it for some users. Full control over your data, no vendor lock-in, no subscription fees beyond API costs. But "full control" also means "full responsibility."

For choosing the right model to pair with a hardened setup, see Best AI Model for OpenClaw. For background on the Alibaba plan changes, check Alibaba Coding Plan Lite Discontinued and the Alibaba Coding Plan Review.

The Verdict

OpenClaw is a genuinely impressive project. The community is active, the feature set is broad, and the fact that it is free and open source matters. None of the issues in this article are unfixable, and the core team has been responsive to security reports (CVE-2026-25253 was patched within days of disclosure).

But the defaults are dangerous. A fresh install of OpenClaw binds to all interfaces, trusts all skills, stores everything in plain text, and accepts messages from anyone on connected channels. For a tool with full system access, those defaults are indefensible.

If you are going to use OpenClaw, treat the hardening checklist above as mandatory, not optional. Harden first, automate second.