What is CVE-2026-25253 in OpenClaw?

CVE-2026-25253 (CVSS 8.8) is a critical RCE vulnerability in OpenClaw's WebSocket handler that didn't validate the Origin header, allowing remote attackers to execute arbitrary commands with a single malicious link.

What is CVE-2026-32913 in OpenClaw?

CVE-2026-32913 is an improper header validation bug in fetchWithSsrFGuard. It forwards sensitive custom auth headers (X-Api-Key, Private-Token) across cross-origin redirects, leaking credentials to attacker-controlled servers.

How many OpenClaw instances are exposed on the internet?

135,000+ OpenClaw instances were found exposed on the public internet as of March 2026, per ClawFast's OpenClaw Security Crisis report. Over 60% had exploitable vulnerabilities.

How do I secure my OpenClaw deployment?

Enable authentication, bind to 127.0.0.1 not 0.0.0.0, use TLS, restrict exec permissions, and install SecureClaw for automated hardening checks across all 55 documented threat classes.

Is OpenClaw safe to run?

With proper configuration (auth enabled, bound to localhost, patched to v2026.3.7+), OpenClaw is safer. But the default configuration leaves critical vulnerabilities exposed. Run SecureClaw's audit checklist before deploying.

What is the ClawJacked vulnerability?

ClawJacked is an attack class where malicious websites hijack local OpenClaw AI agents via WebSocket by exploiting missing Origin validation (CVE-2026-25253).

← Back to dashboard

clawsmith.com/claw/openclaw-security-crisis-135k-exposed-rce

⚠ IssueCompetitiveFrameworkLive

OpenClaw Security Crisis: 135K Exposed Instances, RCE, AMOS Stealer

OpenClaw security crisis escalates: CNCERT China March 2026 alert warns of 220K+ unprotected instances exposed to public internet (up from 135K in February). CVE-2026-25253 CVSS 8.8 RCE, AMOS Stealer targeting macOS users. Microsoft recommends isolated VM only. 156 total security advisories in jgamblin tracker.

Virality Score

10,840

across 4 platforms