What is CVE-2026-25253 in OpenClaw?

CVE-2026-25253 (CVSS 8.8) is a critical RCE vulnerability in OpenClaw's WebSocket handler that didn't validate the Origin header, allowing remote attackers to execute arbitrary commands with a single malicious link.

What is CVE-2026-32913 in OpenClaw?

CVE-2026-32913 is an improper header validation bug in fetchWithSsrFGuard. It forwards sensitive custom auth headers (X-Api-Key, Private-Token) across cross-origin redirects, leaking credentials to attacker-controlled servers.

How many OpenClaw instances are exposed on the internet?

135,000+ OpenClaw instances were found exposed on the public internet as of March 2026, per ClawFast's OpenClaw Security Crisis report. Over 60% had exploitable vulnerabilities.

How do I secure my OpenClaw deployment?

Enable authentication, bind to 127.0.0.1 not 0.0.0.0, use TLS, restrict exec permissions, and install SecureClaw for automated hardening checks across all 55 documented threat classes.

Is OpenClaw safe to run?

With proper configuration (auth enabled, bound to localhost, patched to v2026.3.7+), OpenClaw is safer. But the default configuration leaves critical vulnerabilities exposed. Run SecureClaw's audit checklist before deploying.

What is the ClawJacked vulnerability?

ClawJacked is an attack class where malicious websites hijack local OpenClaw AI agents via WebSocket by exploiting missing Origin validation (CVE-2026-25253).

← Back to dashboard

clawsmith.com/claw/openclaw-security-crisis-135k-exposed-rce

⚠ IssueCompetitiveFrameworkLive

OpenClaw Security Crisis: 135K Exposed Instances, RCE, AMOS Stealer

CVE-2026-25253 (CVSS 8.8) enables one-click RCE via WebSocket. CVE-2026-32913 leaks API keys over cross-origin redirects. 135K instances exposed with no auth required.

Virality Score

10,690

across 4 platforms