OpenClaw Users Warned to Assume Compromise After Major Breach

Following the discovery of a high-severity authentication bypass, security researchers have issued an assume compromise warning for users of the OpenClaw agent framework. The vulnerability chain allows malicious websites to silently connect to local gateway instances and execute code. For developers running self-hosted local agents, this fundamentally breaks the assumption that localhost bindings provide network isolation.

The ClawJacked Attack Chain

The primary exploit targets the OpenClaw gateway using a WebSocket connection. When a user visits a malicious webpage, JavaScript in the browser attempts to connect directly to the local agent process. Because the OpenClaw gateway lacks rate limiting or failure thresholds, the attacker can brute-force the management password instantly.

Once authenticated, the attacker registers their payload as a trusted device. This grants full administrative control over the agent environment. The attack successfully compromises the host system even if the OpenClaw gateway is strictly bound to localhost.

Critical Vulnerabilities List

The framework contains multiple structural flaws across its authentication and sandboxing layers. Security audits identified four primary vulnerabilities.

CVE	Type	Description
CVE-2026-25253	CVSS 8.8 (RCE)	“One-click” execution via unvalidated gatewayUrl parameters in the Control UI.
CVE-2026-24763	Command Injection	Docker sandbox escape caused by unsafe handling of the PATH environment variable.
CVE-2026-25593	RCE	Code execution via unsafe cliPath values, patched in version 2026.1.20.
CVE-2026-3098	Unauthorized Access	Missing permission checks in AJAX export actions allowing file exfiltration.

Exposure and Marketplace Impact

Internet scanning tools have identified over 42,665 publicly exposed OpenClaw instances. Analysis of these instances shows that 93.4% remain vulnerable to critical authentication bypass techniques.

The compromise extends beyond the framework itself. The ClawHub marketplace currently hosts over 820 malicious packages, accounting for roughly 20% of the registry. Many of these packages disguise themselves as useful agent skills but deliver the Atomic macOS Stealer payload upon execution.

Additionally, the Moltbook companion network suffered a database exposure in February 2026. Misconfigured Row Level Security leaked 1.5 million API tokens alongside private messages and 35,000 email addresses.

Patch Status and Mitigation

The OpenClaw project recently transitioned to an independent foundation after creator Peter Steinberger departed to lead personal agent development at OpenAI. The foundation introduced security fixes in version 2026.1.29 and subsequent releases like 2026.2.26.

Updating the software is necessary but insufficient if a machine has already been targeted. The directive persists because the attack sequence executes silently in the background. If you rely on local agent deployments, you must review your network architecture. Similar breaches often force teams to completely rethink how to monitor AI applications across local and cloud environments and adopt centralized identity platforms for AI agents.

If you deployed an OpenClaw instance prior to version 2026.1.29, immediately rotate all associated API keys and audit your local environment for unauthorized scheduled tasks. Operating an unpatched local agent framework currently carries the same risk profile as intentionally installing infostealer malware.