On April 23, researchers published a fresh scan showing over 28,000 OpenClaw systems newly exposed to a just-discovered flaw. That's on top of the 135,000 instances already mapped across 82 countries in previous surveys — over 50,000 of which were documented as vulnerable to remote code execution.
If you or anyone on your team has set up an OpenClaw instance, this week is the week to act.
What OpenClaw is
OpenClaw launched in November 2025 under the name Clawdbot — a scrappy open-source project that let you run your own AI agent on a VPS or home server, accessible via WhatsApp, Telegram, or Discord. You message it, it does things: runs commands, manages files, browses the web, handles email. All powered by an LLM of your choice.
It hit 9,000 GitHub stars in its first 24 hours. By February 2026 it had surpassed 214,000 — faster growth than Docker, Kubernetes, or React ever achieved. The appeal for small orgs was obvious: a capable, self-hosted AI assistant for the cost of a $5 VPS and your LLM API bill, no per-seat subscription required.
Then the attack surface caught up with the popularity.
What's broken, specifically
April 2026 brought 13 new CVEs fixed in OpenClaw. Three of the most serious:
CVE-2026-41349 (CVSS 8.8) — Consent bypass. An LLM agent can silently disable execution approval via a config.patch parameter. An attacker who can feed instructions to your agent — through a poisoned skill, a malicious document, or prompt injection — can tell it to stop asking for your permission before taking actions. Your agent just starts doing things autonomously without checking with you.
CVE-2026-41352 (CVSS 8.8) — Remote code execution. A device-paired node can bypass the node scope authentication mechanism and execute arbitrary commands on the host system. If an attacker gets access to a paired device token, they can run arbitrary code on the machine hosting your OpenClaw instance.
CVE-2026-35639 (CVSS 8.7) — Privilege escalation. The device pairing flow fails to validate that the requesting token holds the correct scope before approving access. Any valid token — even a read-only one — can escalate to full operator access. If you've ever issued anyone a limited API key to your OpenClaw instance, they effectively have admin access.
The safest rule right now: any OpenClaw version before 2026.4.5 should be treated as compromised.
The marketplace problem
The CVEs are serious. The marketplace issue is arguably worse for small orgs.
OpenClaw's ClawHub is its plugin/skills store — where you extend your agent's capabilities. In February, Koi Security audited ClawHub and found 335 malicious skills from a coordinated campaign they named ClawHavoc. As of the most recent scan, that count has grown to over 1,184 malicious listings across roughly 10,700 total — about 11% of the entire marketplace delivering active malware.
The attack is social engineering adapted for AI agents. Malicious skills look completely legitimate: professional documentation, innocuous names like "gdrive-sync-helper" or "solana-wallet-tracker." The install flow includes instructions that prompt you to paste a terminal command or download a file. On macOS, this deploys Atomic macOS Stealer — it goes after browser passwords, keychain, SSH keys, and crypto wallets. On Windows, keyloggers.
This isn't a zero-day exploit requiring sophisticated tradecraft. It's a supply chain attack. Same playbook as the malicious npm packages that burned developers for two years, just running inside the AI agent ecosystem now.
The exposure problem
OpenClaw was designed to run locally, bound to localhost. That's in the documentation — but not loudly enough for people who were excitedly spinning it up on a VPS without reading the security section carefully.
Tens of thousands of users deployed it bound to all network interfaces, making the web dashboard globally accessible. In many default configurations, no authentication was required. Anyone scanning the internet could find your OpenClaw control panel, see what your agent has access to, and start issuing commands.
SecurityScorecard documented 135,000 publicly exposed instances across 82 countries. Of those, over 53,000 were correlated with prior breach activity. The April 23 scan added another 28,000 newly exposed by a fresh flaw. These aren't corporate deployments with hardened perimeters. Most are small teams and individual developers who set this up over a weekend and moved on.
What to do right now
1. Update to 2026.4.5 immediately. This is non-negotiable. The April CVEs are being actively exploited. Don't wait until it's convenient.
2. Check your network binding. In your OpenClaw configuration, verify it's bound to 127.0.0.1, not 0.0.0.0. If you're running it on a VPS, it should only be reachable via SSH tunnel or VPN — not a public port. Open your config file and look now, not later.
3. Audit every ClawHub install. Go to Settings → Skills in your OpenClaw dashboard. Every skill installed before April 2026 needs a second look. Cross-reference against the malicious skills lists published by Koi Security and Bitdefender. If you can't verify the author or the source code looks off, uninstall it.
4. Rotate credentials. If your OpenClaw instance was exposed to the public internet — or if you installed unverified ClawHub skills — assume credential theft is possible. Rotate SSH keys, API tokens, browser passwords, and any secrets the agent had access to. Treat it the same way you'd treat a compromised server.
5. Isolate the host machine. Your OpenClaw instance should not be running on a machine with production cloud credentials, database passwords, or access to sensitive data. Dedicated, minimal-access host. Only what the agent actually needs to do its job.
The pattern this fits
We've written about CrewAI's RCE chain, the LiteLLM supply chain compromise, GitGuardian's report on AI tools leaking API keys. There's a clear pattern: a useful grassroots tool solves a real problem for small orgs, goes viral before its security infrastructure can catch up, and becomes the attack surface of the month.
OpenClaw is the clearest case yet. The growth was that fast — 214,000 stars in four months. The security posture started thin. The attack campaigns (ClawHavoc, the CVE exploitation, the exposure scans) began within weeks of the popularity spike. Researchers are now tracking over 138 CVEs in OpenClaw across a 63-day window.
The orgs that use AI agents well over the next two years will be the ones who adopt early and maintain basic security hygiene: locked-down deployments, credential isolation, vetted plugins. The ones who adopt carelessly — running exposed dashboards with unaudited marketplace plugins — are handing attackers a skeleton key to their systems.
The tool itself is genuinely useful. The problem isn't the tool. It's the gap between "I set this up" and "I set this up securely." That gap is where the incidents live.
We set up and audit AI agent deployments for small teams — including locked-down OpenClaw configs that don't become another statistic in the next SecurityScorecard scan. If you want a quick audit of what's running in your stack, reach out.