How many CVEs hit OpenClaw in March 2026?

Nine CVEs were publicly disclosed in just four days (March 18-21, 2026), part of a broader 15+ vulnerabilities in 30 days.

What was the most severe March 2026 OpenClaw CVE?

CVE-2026-32922 scored CVSS 9.9 — a privilege escalation in device.token.rotate that gives full admin control from a pairing token.

How many OpenClaw instances were exposed?

135,000+ instances on public internet across 82 countries, with 15,000+ directly exploitable via RCE. 63% ran without gateway authentication.

Were the March 2026 OpenClaw CVEs patched?

Yes, patches shipped in v2026.2.22 nearly a month before public disclosure. The gap between fix and disclosure was ~4 weeks.

What types of vulnerabilities were in the March flood?

Command injection, path traversal, server-side request forgery (SSRF), privilege escalation, and WebSocket origin validation bypass (ClawBleed).

← Back to dashboard

clawsmith.com/signal/openclaw-nine-cves-four-days-march-2026-flood

⚠ IssueWide OpenLive

Nine CVEs in Four Days: OpenClaw's March 2026 Vulnerability Flood

Between March 18-21, 2026, nine CVEs publicly disclosed for OpenClaw — one CVSS 9.9, six high severity. Command injection, path traversal, SSRF. 135,000+ exposed instances across 82 countries, 15,000+ directly exploitable via RCE. Patches shipped in v2026.2.22 nearly a month before disclosure.

Product Idea from this Signal

A background service that continuously monitors OpenClaw CVE disclosures, detects which affect your running instance, and auto-applies the minimal safe patch without requiring a full version upgrade

9.7k ▲

OpenClaw shipped 22+ CVEs in 60 days (9 in March, 13 in April 2026) while 135,000 instances sat exposed on the public internet with 63% running no authentication. Cisco released DefenseClaw for enterprise but it requires significant configuration and ops knowledge. Self-hosted operators (the majority of OpenClaw users) take days to weeks to apply patches. This service watches the OpenClaw advisory feed, maps CVEs to affected code paths in your running version, generates and tests a minimal patch, and applies it with automatic rollback on failure.

CLIOPEN-SOURCESECURITYSELF-HOSTEDDEVTOOL

CompetitiveView Opportunity →