OpenClaw Security Issues in 2026: CVE-2026-25253, ClawHavoc, and What They Mean for You
OpenClaw has become the fastest-growing open-source AI agent in history, surpassing 180,000 GitHub stars in under a year. But with explosive adoption comes explosive risk. In the first two months of 2026, the project has been hit by a critical remote code execution vulnerability, a massive supply chain attack, and a chorus of warnings from Cisco, Microsoft, and Kaspersky. If you are running OpenClaw—whether self-hosted or on a shared server—this article is a comprehensive breakdown of every security issue you need to know about right now.
CVE-2026-25253: One-Click Remote Code Execution
On January 28, 2026, security researchers disclosed CVE-2026-25253, a critical remote code execution (RCE) vulnerability in OpenClaw's core message-handling pipeline. The flaw was assigned a CVSS score of 8.8 (High), and for good reason: it allows an attacker to achieve full code execution on the host machine with a single crafted message sent to the agent.
The vulnerability exists in the way OpenClaw parses and executes skill invocations embedded in incoming messages. By injecting a specially formed payload into a Telegram, WhatsApp, or Discord message, an attacker can escape the skill sandbox and execute arbitrary commands on the underlying operating system. Critically, even instances bound to localhost are affected—the attack does not require the OpenClaw API to be publicly exposed. Any messaging channel that the agent monitors serves as an attack surface.
The OpenClaw maintainers released a patch in version 4.2.1 within 48 hours of disclosure. However, according to a Bitsight scan published on February 10, over 40,000 OpenClaw instances remain unpatched and publicly reachable. Many of these are running on personal cloud VMs, small business servers, and even home networks. The sheer number of exposed OpenClaw instances makes this one of the most dangerous unpatched vulnerabilities in the current threat landscape.
If you are running any version of OpenClaw prior to 4.2.1, stop reading and patch immediately. This is not optional.
ClawHavoc: The Supply Chain Attack That Hit ClawHub
Barely a week after CVE-2026-25253 was disclosed, security firm Snyk published its ToxicSkills study, revealing what researchers are now calling the ClawHavoc supply chain attack. The findings are alarming: 1,184 malicious skills were identified on ClawHub, OpenClaw's official skill marketplace, with some having been available for download for months before detection.
The malicious skills employed a range of techniques. Some exfiltrated environment variables—including API keys, database credentials, and cloud provider tokens—to attacker-controlled servers. Others installed persistent backdoors that survived OpenClaw restarts. A smaller but more dangerous subset deployed cryptominers or established reverse shells, giving attackers ongoing interactive access to compromised hosts.
What makes ClawHavoc particularly dangerous is the trust model of ClawHub. Skills are community-contributed and, until recently, underwent no automated security review before being listed. Users installing skills from ClawHub had no way to distinguish a vetted, safe skill from a trojanized one. The attack surface is compounded by the fact that many OpenClaw deployments run skills with the same privileges as the host process, meaning a malicious skill has full access to anything the OpenClaw agent can reach.
Snyk's report was corroborated by independent analyses from SecurityWeek and The Hacker News, both of which confirmed the scope and severity of the compromise. For a deeper look at the malicious skills landscape, see our analysis of ClawHub malicious skills and how to audit yours.
Microsoft, Cisco, and Kaspersky Sound the Alarm
The security community's response to OpenClaw's issues has been swift and unequivocal. Three major security organizations have published warnings in the past two weeks, each highlighting different dimensions of the problem.
Microsoft Security Blog: Runtime Risk
On February 5, the Microsoft Security Blog published a detailed technical analysis of OpenClaw's runtime architecture, warning that the agent's default configuration creates significant runtime risk. Microsoft's researchers noted that OpenClaw executes skill code in a shared process space without memory isolation, meaning a single compromised skill can read or modify the memory of any other running skill. The post specifically called out the lack of seccomp filtering, namespace isolation, or capability dropping in the default OpenClaw runtime—features that are standard in modern container runtimes.
Microsoft's recommendation was blunt: organizations should not run OpenClaw in production without wrapping it in a hardened container or microVM with strict network egress controls.
Cisco: "A Security Nightmare"
Cisco's Talos Intelligence team published a blog post on February 8 with the headline calling OpenClaw "a security nightmare for enterprise networks." The Cisco Blogs piece focused on the network-level implications of running an autonomous AI agent that can initiate outbound connections, execute code, and interact with external APIs—all without human approval by default.
Talos researchers demonstrated a proof-of-concept attack chain in which a compromised OpenClaw instance was used to pivot laterally across a corporate network, accessing internal databases and exfiltrating sensitive documents. The attack required no prior network access; it began with a single message to the OpenClaw agent on a public Telegram channel. Cisco recommended that enterprises immediately inventory all OpenClaw deployments, restrict their network access to a strict allowlist, and implement action-approval workflows before any skill execution.
Kaspersky: Agent Vulnerability Report
Kaspersky released a February 2026 report on AI agent vulnerabilities, dedicating an entire chapter to OpenClaw. The report documented 14 distinct attack vectors specific to OpenClaw's architecture, including prompt injection via messaging channels, skill dependency confusion, and credential leakage through verbose error logging. Kaspersky's researchers also flagged that OpenClaw's default logging configuration writes full message payloads—including user-provided secrets—to plaintext log files with world-readable permissions on many Linux distributions.
The Kaspersky report concluded that OpenClaw, in its default configuration, is unsuitable for any deployment handling sensitive data, and recommended that organizations evaluate managed hosting solutions that provide sandboxing, network isolation, and audit logging out of the box.
The Bigger Picture: Why Self-Hosting OpenClaw Is Getting Riskier
Each of these issues—CVE-2026-25253, ClawHavoc, and the structural warnings from major security vendors—points to the same underlying problem. OpenClaw was designed for rapid prototyping and personal use. Its architecture prioritizes developer convenience over defense in depth. Skills run with full host privileges. There is no built-in action approval workflow. Network egress is unrestricted. Logging is verbose but insecure. The skill marketplace has no vetting pipeline.
None of this mattered when OpenClaw had a few thousand users experimenting on local machines. It matters enormously now that the project has hundreds of thousands of deployments, many of them in business-critical environments handling customer data, financial records, and proprietary code.
The timing of these disclosures is also notable. OpenClaw founder Peter Steinberger joined OpenAI on February 15, raising questions about the project's long-term security maintenance. While OpenAI has pledged to support the OpenClaw foundation and keep the project open-source, the reality is that the security burden has shifted to the community—and the community is struggling to keep up with the volume of incoming vulnerability reports.
What You Should Do Right Now
If you are running OpenClaw in any capacity, here is your immediate action checklist:
- Patch to version 4.2.1 or later. CVE-2026-25253 is a critical RCE with active exploitation in the wild. There is no workaround. Update now.
- Audit every installed skill. Cross-reference your installed skills against Snyk's published list of malicious skill identifiers. Remove anything you did not explicitly install and verify. Our guide on ClawHub malicious skills walks through this process step by step.
- Restrict network egress. Configure firewall rules so your OpenClaw instance can only reach the specific APIs it needs. Block all other outbound traffic. This limits the blast radius of any compromised skill.
- Enable action approval. If your deployment supports it, enable manual approval (see our approval workflows guide) for all skill executions that involve file system writes, network requests, or command execution. This adds friction but dramatically reduces automated attack chains.
- Rotate all credentials. If your OpenClaw instance has had access to API keys, database passwords, cloud tokens, or any other secrets, rotate them immediately. Assume they may have been exfiltrated.
- Review your logging configuration. Ensure that OpenClaw is not writing sensitive data to plaintext logs. Restrict log file permissions to root-only access.
- Consider managed hosting. Self-hosting OpenClaw securely now requires expertise in container isolation, network security, skill auditing, and continuous vulnerability monitoring. For many teams, a secure managed hosting solution eliminates this operational burden entirely.
Timeline of OpenClaw Security Events in 2026
| Date | Event | Severity |
|---|---|---|
| Jan 28 | CVE-2026-25253 disclosed (RCE via message parsing) | Critical (CVSS 8.8) |
| Jan 30 | OpenClaw 4.2.1 released with patch | — |
| Feb 3 | Snyk publishes ToxicSkills study (1,184 malicious skills) | High |
| Feb 5 | Microsoft Security Blog warns of runtime risk | Advisory |
| Feb 8 | Cisco Talos calls OpenClaw "a security nightmare" | Advisory |
| Feb 10 | Bitsight reports 40,000+ unpatched instances exposed | High |
| Feb 12 | Kaspersky publishes agent vulnerability report | Advisory |
| Feb 15 | OpenClaw founder Peter Steinberger joins OpenAI | — |
The Bottom Line
OpenClaw is a remarkable piece of technology. Its ability to autonomously execute tasks across messaging platforms, interact with APIs, and chain complex workflows has legitimately changed what is possible with AI agents. But that power comes with an attack surface that the project's security posture has not kept pace with.
The combination of CVE-2026-25253, the ClawHavoc supply chain compromise, and the structural warnings from Microsoft, Cisco, and Kaspersky paints a clear picture: running OpenClaw without hardened infrastructure, skill vetting, and continuous monitoring is an unacceptable risk for any organization handling real data.
Whether you harden your self-hosted deployment using the steps above or move to a managed hosting platform that handles isolation and security for you, the time to act is now. The threat actors targeting OpenClaw are not waiting.
Sources: Infosecurity Magazine, Bitsight, SecurityWeek, The Hacker News, Cisco Blogs, Microsoft Security Blog, Kaspersky.
Related Reading
- 40,000+ Exposed OpenClaw Instances Explained
- The ClawHavoc Supply Chain Attack
- KiwiClaw Security Overview