OpenClaw can execute actions and commands through skills/plugins. This creates high operational risk if untrusted skills are installed. Deploy only in tightly controlled environments.
Vulnerability Details:
- CVE: CVE-2026-28472
- CVSS Score: 9.8 (Critical)
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Affected: Versions < 2026.2.2
- Fixed: 2026.2.2
- Published: March 5, 2026
- Type: CWE-306 (Missing Authentication for Critical Function)
Description: OpenClaw contains a vulnerability in the gateway WebSocket connect handshake that allows attackers to skip device identity checks. When auth.token is present but not properly validated, the system performs a presence check instead of actual validation, allowing unauthorized connections.
Impact:
- Bypass device identity verification during WebSocket handshake
- Connect to the gateway without proper authentication
- Skip the device pairing process entirely
- Gain operator-level access in vulnerable deployments
Action Required:
- Upgrade immediately to v2026.2.2 or higher (latest: v2026.4.10)
- Review gateway logs for unauthorized WebSocket connections
- Verify device pairing configurations
Vulnerability Details:
- CVE: CVE-2026-25253
- CVSS Score: 8.8 (Critical)
- Affected: Early versions (prior to January 29, 2026)
- Fixed: v2026.1.29
- Published: January 31, 2026
- Discovered by: Mav Levin, DepthFirst
Description: The OpenClaw Control UI accepts an unvalidated gatewayUrl query parameter and auto-connects on page load, transmitting the stored authentication token over the WebSocket. Visiting a malicious page instantly steals the token, allowing an attacker to connect to the victim’s gateway, disable sandboxing via API calls, and achieve full system RCE. The flaw works even on localhost-only configurations because the victim’s browser initiates the outbound connection.
Impact:
- Authentication token theft via cross-site WebSocket hijacking
- Remote code execution
- Full system compromise
Action Required:
- Upgrade immediately to latest version (v2026.4.10 or higher)
- Rotate all API keys and tokens if compromise is suspected
- Review logs for suspicious activity
- SSRF vulnerability fix: Patched CVE-2026-34504 - SSRF via
fal provider allowing server-side request forgery through unvalidated URL parameters in model provider configuration
- Dependency fix: Forced
basic-ftp to v5.2.1 to patch CRLF command-injection vulnerability; updated Hono and @hono/node-server
- Dependency fix: Forced
basic-ftp to v5.2.1 to patch CRLF command-injection vulnerability; updated Hono and @hono/node-server
- SSRF/Browser hardening: Re-ran blocked-destination safety checks after interaction-driven navigations; blocked main-frame redirect hops from reaching internal targets
- Environment & config security: Blocked untrusted workspace
.env files from overriding runtime-control, browser-control, and skip-server variables
- Execution & plugin isolation: Sanitized remote node execution summaries to prevent
System: content injection; prevented untrusted workspace plugins from hijacking bundled provider auth-choice IDs; blocked dangerous host/environment overrides (Java, Rust, K8s, cloud credentials, Helm, etc.)
- Access control: Enforced owner-only authorization for
/allowlist add/remove commands; restricted local file access to workspace boundaries when workspaceOnly mode is active
- Exec/env sandbox: Block build-tool JVM injection (MAVEN_OPTS, SBT_OPTS, GRADLE_OPTS, GLIBC_TUNABLES, DOTNET_ADDITIONAL_DEPS)
- Exec approvals: Treat time as transparent dispatch wrapper during allowlist evaluation
- Voice-call/webhooks: Reject missing provider signature headers, drop pre-auth body budget to 64 KB/5s
- Device pairing: Make bootstrap setup codes single-use
Note: OpenClaw has a rapid release cycle (2-3 releases/week). Always use the latest version for security patches. Run openclaw doctor to validate your installation.
OpenClaw connects to real messaging surfaces. Treat inbound DMs as untrusted input.
DM Policy options (dmPolicy):
pairing (default): Unknown senders receive a pairing code and must be approved before the bot processes their messages. Codes expire after 1 hour. Pending requests capped at 3 per channel by default.allowlist: Unknown senders are blocked (no pairing handshake)open: Public inbound DMs allowed (requires explicit opt-in with "*" in allowFrom)disabled: Ignore inbound DMs entirely
Pairing management:
- List pending:
openclaw pairing list <channel>
- Approve pairings:
openclaw pairing approve <channel> <code>
- Audit your configuration: Run
openclaw doctor to surface risky/misconfigured DM policies
OpenClaw instances can be found publicly accessible via network scanning tools:
- Exposed data includes: API keys, bot tokens, OAuth secrets, full conversation histories, command execution capabilities
- Never expose port 18789 directly to the public internet
- Use a reverse proxy with authentication for remote access
- For secure remote access, use Tailscale (
gateway.tailscale.mode: "serve" for Tailnet-only access, or "funnel" for public access with Tailscale’s authentication layer)
Prompt injection attacks are possible in AI agent systems:
- Attack example: Malicious input could cause AI to forward sensitive data to attacker
- Always treat inbound messages as untrusted input
- Use sandbox mode for non-main sessions (groups/channels)
- Implement rate limiting to slow down automated attacks
- Audit your configuration: Run
openclaw doctor to check for misconfigurations and surface risky/misconfigured DM policies
- Run OpenClaw in isolated hosts or dedicated containers.
- Do not grant host root privileges or broad Docker socket access.
- Avoid running on production control-plane servers.
- Keep clear separation between test and production environments.
- Use dedicated user accounts with minimal required permissions.
- Implement network segmentation to limit lateral movement.
- Install only audited skills from trusted maintainers.
- Review skill code before enabling execution.
- Disable skills that can run shell commands unless strictly required.
- Log and review all automated actions initiated by the agent.
- Implement skill execution timeouts to prevent infinite loops.
- Use sandboxed environments for skill execution when possible.
- Use dedicated bot accounts with minimal required permissions.
- Implement webhook validation and authentication.
- Rotate messaging platform tokens regularly.
- Monitor for unusual activity patterns in messaging channels.
- Limit the number of concurrent active sessions.
¶ 4) Protect API keys and sensitive data
- Store API keys in environment variables or secure vaults, never in code.
- Use different API keys for different environments.
- Implement key rotation policies and procedures.
- Monitor API usage for unusual patterns or spikes.
- Restrict network access to API endpoints.
- Use least-privilege service accounts.
- Scope API tokens to minimum required permissions.
- Restrict outbound egress to approved APIs only.
- Keep incident response procedures ready to revoke keys and disable execution quickly.
- Implement resource limits to prevent system exhaustion.
- Regularly audit file system access and permissions.
¶ 6) Enable Sandbox Mode (Recommended)
For group/channel safety, enable sandbox mode to run sessions in Docker containers:
{
"agents": {
"defaults": {
"sandbox": {
"mode": "all"
}
}
}
}
Sandbox defaults:
- ✅ Allowlist: bash, process, read, write, edit, sessions_list, sessions_history, sessions_send
- ❌ Denylist: browser, canvas, nodes, cron, discord, gateway
¶ Sandbox CLI Commands
| Command |
Description |
openclaw sandbox explain |
Inspect effective sandbox mode, scope, workspace access, and tool policy |
openclaw sandbox list |
List all sandbox containers with status |
openclaw sandbox recreate --all |
Recreate all sandbox containers with updated config |
openclaw sandbox recreate --agent <name> |
Recreate sandbox for specific agent |
Tip: Run openclaw doctor to validate sandbox configuration and check if Docker is available.
- OpenClaw project site: https://openclaw.ai/
- OpenClaw Documentation: https://docs.openclaw.ai/
- OpenClaw Security Guide: https://docs.openclaw.ai/security
- OpenClaw Sandbox Configuration: https://docs.openclaw.ai/sandbox
- OpenClaw CLI Doctor: https://docs.openclaw.ai/cli/doctor
- OWASP Top 10 for AI: https://owasp.org/www-project-top-10-for-large-language-model-applications/
- NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework
Any questions?
Feel free to contact us. Find all contact information on our contact page.