OpenClaw can execute actions and commands through skills/plugins. This creates high operational risk if untrusted skills are installed. Deploy only in tightly controlled environments.
Vulnerability Details:
- CVE: CVE-2026-28472
- CVSS Score: 9.8 (Critical)
- Vector: AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Affected: Versions < 2026.2.2
- Fixed: 2026.2.2
- Published: March 5, 2026
- Type: CWE-306 (Missing Authentication for Critical Function)
Description: OpenClaw contains a vulnerability in the gateway WebSocket connect handshake that allows attackers to skip device identity checks. When auth.token is present but not properly validated, the system performs a presence check instead of actual validation, allowing unauthorized connections.
Impact:
- Bypass device identity verification during WebSocket handshake
- Connect to the gateway without proper authentication
- Skip the device pairing process entirely
- Gain operator-level access in vulnerable deployments
Action Required:
- Upgrade immediately to v2026.2.2 or higher (latest: v2026.3.22)
- Review gateway logs for unauthorized WebSocket connections
- Verify device pairing configurations
Vulnerability Details:
- CVE: CVE-2026-25253
- CVSS Score: 9.0+ (Critical)
- Affected: Early versions (prior to February 2026)
- Published: February 2026
Description: Authentication token theft vulnerability that can lead to remote code execution. Zero-click exploit possible in vulnerable versions.
Impact:
- Authentication token theft
- Remote code execution
- Full system compromise
Action Required:
- Upgrade immediately to latest version (v2026.3.22 or higher)
- Rotate all API keys and tokens if compromise is suspected
- Review logs for suspicious activity
- Exec/env sandbox: Block build-tool JVM injection (MAVEN_OPTS, SBT_OPTS, GRADLE_OPTS, GLIBC_TUNABLES, DOTNET_ADDITIONAL_DEPS)
- Exec approvals: Treat time as transparent dispatch wrapper during allowlist evaluation
- Voice-call/webhooks: Reject missing provider signature headers, drop pre-auth body budget to 64 KB/5s
- Device pairing: Make bootstrap setup codes single-use
- Docker security: Prevent gateway token leak in Docker build context
- iMessage remote attachments: Reject unsafe remote attachment paths
- Telegram webhook auth: Validate webhook secret before reading request bodies
- Device pairing: Make bootstrap tokens single-use
- External content: Strip zero-width and soft-hyphen marker-splitting characters
Note: OpenClaw has a rapid release cycle (2-3 releases/week). Always use the latest version for security patches. Run openclaw doctor to validate your installation.
OpenClaw connects to real messaging surfaces. Treat inbound DMs as untrusted input.
DM Policy options (dmPolicy):
pairing (default): Unknown senders receive a pairing code and must be approved before the bot processes their messages. Codes expire after 1 hour. Pending requests capped at 3 per channel by default.allowlist: Unknown senders are blocked (no pairing handshake)open: Public inbound DMs allowed (requires explicit opt-in with "*" in allowFrom)disabled: Ignore inbound DMs entirely
Pairing management:
- List pending:
openclaw pairing list <channel>
- Approve pairings:
openclaw pairing approve <channel> <code>
- Audit your configuration: Run
openclaw doctor to surface risky/misconfigured DM policies
OpenClaw instances can be found publicly accessible via network scanning tools:
- Exposed data includes: API keys, bot tokens, OAuth secrets, full conversation histories, command execution capabilities
- Never expose port 18789 directly to the public internet
- Use a reverse proxy with authentication for remote access
- Consider using Tailscale for secure remote access (
gateway.tailscale.mode: "serve" or "funnel")
Prompt injection attacks are possible in AI agent systems:
- Attack example: Malicious input could cause AI to forward sensitive data to attacker
- Always treat inbound messages as untrusted input
- Use sandbox mode for non-main sessions (groups/channels)
- Implement rate limiting to slow down automated attacks
- Audit your configuration: Run
openclaw doctor to check for misconfigurations and surface risky/misconfigured DM policies
- Run OpenClaw in isolated hosts or dedicated containers.
- Do not grant host root privileges or broad Docker socket access.
- Avoid running on production control-plane servers.
- Keep clear separation between test and production environments.
- Use dedicated user accounts with minimal required permissions.
- Implement network segmentation to limit lateral movement.
- Install only audited skills from trusted maintainers.
- Review skill code before enabling execution.
- Disable skills that can run shell commands unless strictly required.
- Log and review all automated actions initiated by the agent.
- Implement skill execution timeouts to prevent infinite loops.
- Use sandboxed environments for skill execution when possible.
- Use dedicated bot accounts with minimal required permissions.
- Implement webhook validation and authentication.
- Rotate messaging platform tokens regularly.
- Monitor for unusual activity patterns in messaging channels.
- Limit the number of concurrent active sessions.
¶ 4) Protect API keys and sensitive data
- Store API keys in environment variables or secure vaults, never in code.
- Use different API keys for different environments.
- Implement key rotation policies and procedures.
- Monitor API usage for unusual patterns or spikes.
- Restrict network access to API endpoints.
- Use least-privilege service accounts.
- Scope API tokens to minimum required permissions.
- Restrict outbound egress to approved APIs only.
- Keep incident response procedures ready to revoke keys and disable execution quickly.
- Implement resource limits to prevent system exhaustion.
- Regularly audit file system access and permissions.
¶ 6) Enable Sandbox Mode (Recommended)
For group/channel safety, enable sandbox mode to run sessions in Docker containers:
{
"agents": {
"defaults": {
"sandbox": {
"mode": "all"
}
}
}
}
Sandbox defaults:
- ✅ Allowlist: bash, process, read, write, edit, sessions_list, sessions_history, sessions_send
- ❌ Denylist: browser, canvas, nodes, cron, discord, gateway
¶ Sandbox CLI Commands
| Command |
Description |
openclaw sandbox explain |
Inspect effective sandbox mode, scope, workspace access, and tool policy |
openclaw sandbox list |
List all sandbox containers with status |
openclaw sandbox recreate --all |
Recreate all sandbox containers with updated config |
openclaw sandbox recreate --agent <name> |
Recreate sandbox for specific agent |
Tip: Run openclaw doctor to validate sandbox configuration and check if Docker is available.
- OpenClaw project site: https://openclaw.ai/
- OpenClaw Documentation: https://docs.openclaw.ai/
- OpenClaw Security Guide: https://docs.openclaw.ai/security
- OpenClaw Sandbox Configuration: https://docs.openclaw.ai/sandbox
- OpenClaw CLI Doctor: https://docs.openclaw.ai/cli/doctor
- OWASP Top 10 for AI: https://owasp.org/www-project-top-10-for-large-language-model-applications/
- NIST AI Risk Management Framework: https://www.nist.gov/itl/ai-risk-management-framework
Any questions?
Feel free to contact us. Find all contact information on our contact page.