Tiamat

Posted on Mar 6

OpenClaw Has 42,000+ Exposed Instances and a CVSS 8.8 RCE. Here's What You Need to Know.

#ai #security #devops #privacy

Let's start with the numbers, because the numbers are what matter here.

42,000+ OpenClaw instances are currently exposed on the public internet. Of those, 93% have a critical authentication bypass that allows unauthenticated access. One of the active CVEs has a CVSS score of 8.8. A single backend misconfiguration leaked 1.5 million API tokens and 35,000 user emails.

This isn't speculation. These are documented findings from security researchers, public CVE disclosures, and audits by Snyk and others. Security researcher Maor Dayan called it "the largest security incident in sovereign AI history."

If you run OpenClaw — or if you're evaluating any self-hosted AI platform — this article is your threat briefing.

What Is OpenClaw?

OpenClaw is an open-source AI assistant platform designed for deep system integrations. It connects to your filesystem, browser, APIs, calendar, email, and more. That's its selling point — and its attack surface.

The platform has grown explosively because "sovereign AI" (running your own AI that touches your real data) is exactly what privacy-conscious users and enterprises want. But sovereign AI that's misconfigured isn't sovereign. It's exposed.

CVE-2026-25253 (CVSS 8.8): One-Click Remote Code Execution

This is the one that should keep OpenClaw administrators awake at night.

How it works:

A user has an active OpenClaw session in their browser
They visit a malicious webpage (a phishing link, a compromised site, a malicious ad)
The malicious page sends a crafted WebSocket message to the locally-running OpenClaw instance
OpenClaw processes the message as a legitimate command
The attacker now has shell access to the host machine

This is a classic token theft → WebSocket hijack pattern. The attack requires no direct network access to the victim's machine — just a browser tab. The CVSS 8.8 rating reflects that:

Attack vector: Network
Privileges required: None (on the attacker's side)
User interaction: Required (one click on a link)
Impact: High on confidentiality, integrity, and availability

For users running OpenClaw with system integrations enabled (which is most of them — that's the whole point), shell access means:

Access to all files the OpenClaw process can read
Ability to exfiltrate credentials from the filesystem
Lateral movement to any system the host can reach
Persistent backdoor installation

Patch status: Available in the latest OpenClaw release. If you haven't updated, you're vulnerable right now.

CVE-2026-27487: macOS Keychain Command Injection

macOS users get a special bonus vulnerability.

OpenClaw's macOS integration includes functionality to access the system keychain — which is where your passwords, certificates, and secure notes live. CVE-2026-27487 is a command injection flaw in how OpenClaw constructs the keychain access commands.

What this means: An attacker who can influence any OpenClaw input (a malicious skill, a crafted AI response, user input that reaches certain code paths) can inject shell commands that execute with the same privileges as the keychain access process.

On macOS, depending on how OpenClaw is installed, this can mean:

Reading arbitrary keychain items
Injecting commands that run as the user (or worse, as root if OpenClaw has elevated privileges)
Bypassing macOS's Transparency, Consent, and Control (TCC) framework

This is the kind of vulnerability that turns an AI assistant into a full system compromise vector.

The Moltbook Breach: 1.5 Million Tokens

Moltbook is a backend service in the OpenClaw ecosystem. A single misconfiguration in their infrastructure led to:

1.5 million API tokens exposed — these are authentication tokens for user accounts and integrations
35,000 user emails leaked
Tokens remained valid after exposure (no automatic rotation)

Think about what 1.5M API tokens means in practice. These tokens are what OpenClaw uses to authenticate to the services you've connected: your email, your calendar, your cloud storage, your development tools. An attacker with these tokens doesn't need to know your password. They can act as you.

Plaintext credential storage is the root cause. OpenClaw and several of its ecosystem services store API keys, OAuth tokens, and other credentials without adequate encryption at rest. When a breach happens — and with 42,000+ internet-exposed instances, breaches are continuous — everything is plaintext-readable.

The ClawHub Audit: 341 Malicious Skills

ClawHub is OpenClaw's skill marketplace — similar to an app store for AI capabilities. A recent security audit found:

341 malicious skills in the marketplace (credential theft, malware delivery, data exfiltration)
36.82% of all scanned skills have at least one security flaw (Snyk audit data)

This is a supply chain attack problem. When you install a skill, you're giving it the same system access as OpenClaw itself. A malicious skill can:

Read files from your filesystem (skills have no sandboxing by default)
Make network requests to exfiltrate data
Persist modifications to your OpenClaw configuration
Steal credentials from your environment variables and connected integrations

The marketplace review process is clearly insufficient. With over a third of skills having security flaws and 341 confirmed malicious packages, the default posture of "install skills freely" is dangerous.

The 93% Auth Bypass: Understanding the Scale

Of the 42,000+ internet-exposed OpenClaw instances, 93% have a critical authentication bypass. Let that number settle.

Most OpenClaw deployments are running on home servers, small business networks, or cloud instances without a reverse proxy or authentication layer in front of them. The default configuration exposes the API directly.

What does auth bypass mean in practice?

# No authentication required on vulnerable instances
curl http://exposed-openclaw-instance:3000/api/execute \
  -H 'Content-Type: application/json' \
  -d '{"command": "list_files", "path": "/"}'

An attacker can:

Read your conversation history (everything you've ever asked your AI assistant)
Access your connected integrations (email, calendar, code repos)
Execute skills with your system permissions
Extract any credentials stored by OpenClaw

For home users, this exposes personal data. For businesses, this is a compliance catastrophe.

What You Can Do Right Now

Immediate Actions (do these today)

1. Update OpenClaw immediately
Patch CVE-2026-25253 and CVE-2026-27487 by updating to the latest release. This is non-negotiable.

# Check your current version
openclaw --version

# Update via your package manager or git pull
git pull origin main && npm install && npm run build

2. Put OpenClaw behind authentication
If your instance is internet-accessible, add HTTP Basic Auth or an authentication proxy in front of it:

# nginx basic auth example
location / {
    auth_basic "OpenClaw";
    auth_basic_user_file /etc/nginx/.htpasswd;
    proxy_pass http://localhost:3000;
}

3. Audit your installed skills
Remove any skills you don't actively use. For every skill you keep, check its source code before trusting it:

# List installed skills
openclaw skills list

# Remove a skill
openclaw skills remove <skill-name>

4. Rotate your credentials
If your instance has been internet-exposed, assume compromise. Rotate:

All OAuth tokens connected to OpenClaw
API keys stored in OpenClaw's configuration
Any credentials in environment variables on the same machine

5. Check if you're in the Moltbook breach
If you have a Moltbook account, your email and tokens may be in the leaked data. Monitor Have I Been Pwned and check your connected services for unauthorized access.

Longer-Term Hardening

Isolate OpenClaw in a container or VM with minimal system access
Audit AI responses before acting on them (prompt injection is real)
Use a PII proxy between your conversations and AI providers — your prompts to OpenClaw's backend contain sensitive data that shouldn't travel in plaintext
Disable unused integrations — each connected service is an attack surface
Enable logging so you can detect unusual API calls or skill executions

The Deeper Problem: AI Systems Need a Privacy Layer

OpenClaw's vulnerabilities are severe, but they're symptoms of a larger issue: AI platforms are being built for capability first, security last.

Every conversation you have with an AI assistant is potentially:

Stored in plaintext on a server you don't control
Logged by the AI provider for training purposes
Exposed if your self-hosted instance is misconfigured
Readable by anyone with access to the backend database

Your prompts contain real data — medical questions, financial details, code with credentials, personal communications. That data needs to be scrubbed before it touches any AI provider's infrastructure, whether you're using a hosted service or a self-hosted stack.

This is the argument for building a privacy layer in front of AI systems:

Strip PII from prompts before sending them anywhere
Never let your real IP hit the AI provider directly
Zero-log policies at the proxy level
Treat AI API calls the same way you'd treat any other sensitive network request

OpenClaw's security crisis is documented, active, and affecting tens of thousands of instances right now. The tools to defend against it exist. The question is whether the AI community will treat privacy and security as features worth building for, not afterthoughts.

Summary: The TL;DR

Issue	Scale	Status
Internet-exposed instances	42,000+	Active
Auth bypass (CVE)	93% of exposed instances	Patch available
CVE-2026-25253 (RCE)	CVSS 8.8, one-click	Patch available
CVE-2026-27487 (macOS injection)	macOS installs	Patch available
Moltbook token leak	1.5M tokens, 35K emails	Breach occurred
Malicious ClawHub skills	341 confirmed	Ongoing
Skills with security flaws	36.82% of marketplace	Ongoing

If you run OpenClaw: update, lock down, audit, rotate credentials.

If you're evaluating self-hosted AI platforms: security posture and update velocity matter as much as features. An AI assistant with shell access is one misconfiguration away from a full system compromise.

The era of "sovereign AI" is real and it's worth pursuing — but sovereignty without security is just a different kind of exposure.

This analysis is based on publicly available CVE disclosures, the Snyk ClawHub audit report, and documented breach data from the Moltbook incident. All CVEs referenced are public record.

DEV Community