Post

OpenClaw Security in February 2026: One-Click RCE, 40K Exposed Instances, and a Marketplace Problem

A roundup of the OpenClaw security landscape in February 2026 — CVE-2026-25253, tens of thousands of exposed instances, malicious skills in ClawHub, and what you should do about it.

Posted
By Michael Masters & Claude
5 min read
OpenClaw Security in February 2026: One-Click RCE, 40K Exposed Instances, and a Marketplace Problem

OpenClaw has had a brutal February. Between a critical one-click RCE (Remote Code Execution) vulnerability, tens of thousands of misconfigured instances exposed to the internet, and an ongoing marketplace contamination problem, the project is drawing serious scrutiny from security researchers, enterprise CISOs (Chief Information Security Officers), and the press alike.

Here’s what’s happened and what you need to do about it.

CVE (Common Vulnerabilities and Exposures)-2026-25253: One-Click Remote Code Execution

The headline vulnerability. Discovered and disclosed by The Hacker News in early February, CVE-2026-25253 carries a CVSS (Common Vulnerability Scoring System) score of 8.8 and enables full remote code execution from a single malicious link.

How the Exploit Works

The attack chain is elegant and devastating:

  1. Victim clicks a crafted link or visits a malicious webpage — no other interaction required
  2. WebSocket hijacking — OpenClaw’s server doesn’t validate WebSocket origin headers, so the victim’s browser can initiate a connection on the attacker’s behalf, bypassing localhost restrictions entirely
  3. Token exfiltration — the Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload
  4. Safety bypass — with the stolen token, the attacker disables approval requirements and escapes container isolation
  5. Host-level code execution — commands run directly on the host machine, not inside Docker. API keys, tokens, credentials, everything is compromised

The critical detail: this works even when OpenClaw is bound to localhost. The victim’s own browser acts as the bridge, making network-level restrictions useless against this specific attack.

Patched in version 2026.1.29 (January 30, 2026). The fix adds WebSocket origin validation and token rotation. If you’re running anything older, update immediately — this is not optional.

40,000+ Instances Exposed to the Internet

As if the RCE wasn’t enough, researchers at SecurityScorecard found 40,214 OpenClaw instances directly exposed to the public internet. That number is still rising.

The breakdown:

  • 63% of observed deployments are vulnerable
  • 12,812 exposed instances are exploitable via remote code execution
  • Most exposures stem from binding to 0.0.0.0 instead of loopback and skipping gateway authentication

The Register and Bitsight both covered the exposure, with Bitsight noting that many of these instances appear to be “vibe-coded” deployments — set up quickly without security configuration.

The University of Toronto issued a formal vulnerability notification to its community, which gives you a sense of how seriously institutions are taking this.

Version 2026.2.12: The 40-Vulnerability Patch

Released in mid-February, version 2026.2.12 is a comprehensive security-focused update addressing over 40 vulnerabilities and stability issues. This is the version you should be on right now.

Key fixes include the CVE-2026-25253 patch (which first shipped in 2026.1.29), additional WebSocket hardening, improved sandbox isolation, and stricter default configurations.

ClawHub: The Marketplace Problem

The third front in OpenClaw’s security battle is its skill marketplace, ClawHub. The numbers paint an ugly picture:

  • Koi Security found 341 malicious skills in a single coordinated campaign dubbed “ClawHavoc”
  • Snyk audited nearly 4,000 skills and found that over 7% contained flaws exposing credentials
  • A broader Snyk audit found that over a third of skills had at least one security flaw

Skill files are text files — prompts in Markdown format — which makes them easy to create but also easy to weaponize. Malicious skills can hide commands in HTML comments, write instructions into SOUL.md during installation, and establish persistence that survives skill uninstallation.

The marketplace governance and vetting process has been called a “dumpster fire” by security researchers. Until ClawHub gets meaningful review processes, treat every third-party skill as untrusted code.

The Bigger Picture

Fortune, The Register, and Cyera Research Labs are all framing OpenClaw as a cautionary tale about AI adoption outpacing security maturity. With 180,000+ developers using the platform, the attack surface is enormous, and the security model was clearly not designed for the scale of adoption it achieved.

The fundamental tension hasn’t changed: the same properties that make OpenClaw powerful — tool execution, file access, shell commands, API integrations — are exactly what makes a compromised instance catastrophic. An attacker who hijacks an OpenClaw agent inherits every permission it was granted.

What You Should Do Right Now

Immediate Actions

  1. Update to 2026.2.12 — this patches CVE-2026-25253 and 40+ other vulnerabilities
  2. Verify your binding — run grep -i bind ~/.openclaw/openclaw.json and confirm it says "loopback", not "0.0.0.0"
  3. Enable gateway auth — if gateway.auth isn’t configured, your instance is open to anyone who can reach it
1
2
3
4
5
6
7
8
9

{
  gateway: {
    bind: "loopback",
    auth: {
      mode: "token",
      token: "${OPENCLAW_GATEWAY_TOKEN}"
    }
  }
}

Security Audit

1
2
3
4
5
6
7
8
9
10

# Run the built-in audit
openclaw security audit --deep

# Auto-fix common issues
openclaw security audit --fix

# Lock file permissions
chmod 700 ~/.openclaw
chmod 600 ~/.openclaw/openclaw.json
chmod 600 ~/.openclaw/credentials/*.json

Skill Hygiene

  • Don’t install skills from unknown publishers — treat ClawHub like npm in 2018
  • Review skill contents before installing — check for hidden commands, base64 strings, and instructions that modify identity files
  • Use ClawSec for skill integrity verification and drift detection on SOUL.md

Architectural Defense

If your OpenClaw agent processes any untrusted content (web pages, emails, user-provided documents), consider the read-only triage agent pattern — splitting content processing from tool execution so that even successful prompt injection has no tools to exploit. We published a full implementation guide for OpenClaw covering this approach.

Key Takeaways

  • Update to 2026.2.12 immediately — CVE-2026-25253 enables one-click RCE even on localhost-bound instances
  • 40,000+ instances are exposed to the public internet due to misconfiguration — check yours
  • ClawHub skills are not vetted — 7%+ contain credential-exposing flaws, treat them as untrusted code
  • Bind to loopback, enable token auth, kill mDNS — the minimum viable security baseline
  • Run openclaw security audit --deep regularly — configuration drift is a real threat
  • The security model is improving but still immature — OpenClaw’s adoption massively outpaced its security hardening, and the gap is only now being addressed

Resources

Published: February 2026

ai, security
openclaw security cve prompt-injection ai-agents vulnerability
This post is licensed under CC BY 4.0 by the author.