Agentic

OpenClaw Security Risks: 138 CVEs and What's Exploited Now

computer server rack data center - a rack of electronic equipment in a dark room

Photo by Tyler on Unsplash

Nine CVEs disclosed in four days. That was the OpenClaw security record during the week of March 18–21, 2026 — a pace that forced enterprise security teams to treat a developer automation tool the same way they treat an exposed database endpoint. According to Google News, and corroborated by detailed coverage from CNBC, Forbes, and The Hacker News, OpenClaw has become one of the fastest-adopted and most rapidly weaponized open-source projects in recent memory. As of July 5, 2026, the project carries 138+ disclosed CVEs tracked across 18 pages on OpenCVE, with two rated CVSS 9.9 Critical and one confirmed actively exploited in the wild.

The Evidence: An Agent That Runs When You're Not Watching

Austrian software developer Peter Steinberger launched OpenClaw — initially under the name Clawdbot — in November 2025. It was renamed to Moltbot on January 27, 2026, and then to OpenClaw just three days later on January 30. What followed was a GitHub adoption curve that security researchers have struggled to keep pace with: on March 3, 2026, the project surpassed React at exactly 250,829 stars to become the sixth-most-starred project on the platform. As of June 2026, it has accumulated 378,000 stars in less than eight months — a milestone React needed roughly ten years to reach.

OpenAI acquired the project in February 2026. NVIDIA assembled an enterprise stack with launch partners including Box, Cisco, Atlassian, Salesforce, SAP, and CrowdStrike. As of June 2026, OpenClaw counts 3.2 million monthly active users, 38 million monthly website visitors, and over 500,000 running instances globally. At least 180 startups are generating $320,000 or more per month in revenue using OpenClaw-based workflows — figures that place the project firmly in the critical-infrastructure category for a meaningful slice of the startup economy.

Why the explosion? The IBM Think podcast put it plainly: "ChatGPT is a conversation where you ask and it answers, and when you close the tab it stops. OpenClaw is a system that runs continuously, triggers actions on schedules, monitors things in the background, and integrates with your infrastructure." That distinction is also the root of the security problem.

The Pattern — From Passive Assistant to Persistent Agent

OpenClaw runs on a ReAct-style observe → plan → act loop. An LLM — Claude, GPT-4, DeepSeek, or another model of the deployer's choice — handles reasoning. OpenClaw handles execution: shell commands, file I/O, API calls, email dispatch, calendar writes, webhook triggers. The agent persists state across sessions via a memory module that Forbes contributor Kate O'Flaherty described as allowing the system to recall past interactions over weeks and adapt to user habits.

In a DevOps context, that architecture means a single OpenClaw instance might read commit diffs, open Jira tickets, run test suites, and push Slack summaries — all without human approval at each step. AIMultiple has documented specific implementation patterns across DevOps pipelines, content production workflows, and continuous code review automation. These are the use cases driving the 180-startup revenue figure. They are also what gives Palo Alto Networks reason to warn of a "lethal trifecta": private data access, untrusted content exposure, and persistent external communications all operating within a single memory-retaining agent loop.

This is the agentic AI pattern in its mature form — not a chatbot with a tool palette, but a system you can point at a workflow and leave running. The AI workflow demo is impressive. The production failure modes are where the real engineering conversation starts.

cybersecurity vulnerability code on monitor screen - black flat screen computer monitor

Photo by SAYAN MONDAL on Unsplash

What We Found: The CVE Record Against the Footprint

The mismatch between OpenClaw's deployment footprint and its security maturity is stark. As of April 2026, 138+ disclosed CVEs are tracked across 18 pages on OpenCVE. CVE-2026-22172 and CVE-2026-32922 both carry CVSS scores of 9.9 — the Critical ceiling. CVE-2026-25253, known as ClawBleed, scores 8.8 and is the only 2026 OpenClaw vulnerability confirmed actively exploited in the wild as of April 2026, according to The Hacker News's technical deep-dive aimed at security professionals.

OpenClaw: Key CVEs by CVSS Score (2026)10.09.08.07.06.09.9CVE-2026-22172CRITICAL9.9CVE-2026-32922CRITICAL8.8CVE-2026-25253ClawBleed ⚠ Exploited⚠ = confirmedactively exploitedin wild (Apr 2026)CVSS Score

Chart: CVSS severity scores for three high-profile OpenClaw CVEs disclosed in 2026. Despite ClawBleed's lower numeric rating, it is the only one confirmed exploited in production environments as of April 2026.

Cyera researchers identified a connected set of vulnerabilities they called "Claw Chain" — a sequence that allows an attacker to establish a foothold inside a running instance, expose sensitive data held in the agent's memory context, and plant persistent backdoors. The ClawHub skills marketplace — OpenClaw's plugin ecosystem — has had over 800 malicious skills flagged as of April 2026, meaning supply-chain risk is live, not speculative.

On February 19, 2026, Microsoft Security Blog issued a formal advisory stating it is "not appropriate to run it on a standard personal or corporate machine." That warning predated the March CVE surge and the ClawBleed active-exploitation disclosure. NVIDIA's subsequent enterprise stack launch — with CrowdStrike as a named partner — is a tacit acknowledgment that "secure wrapper required" is now the baseline deployment assumption, not an optional hardening step. The pattern of rapid autonomous agent adoption outrunning security review capacity isn't unique to OpenClaw; the Citrix Bleed 2 and BYOVD kill-chain analysis published by Cyber Newslens illustrates how memory-persistent networked systems generate compounding attack surfaces that no static CVE list fully captures.

What It Means for Enterprise AI Automation Strategy

The legitimate use cases are substantial. AIMultiple has documented OpenClaw implementation patterns covering DevOps pipeline automation with no manual approval gates, content production workflows where the agent drafts, schedules, and publishes, and continuous code review that monitors pull requests around the clock. The 180 startups generating more than $320,000 per month with OpenClaw are not running toy demos — they are running revenue-generating workflows with real external API access and real downstream consequences if the agent misbehaves or gets hijacked.

The architectural collapse point is this: the power of an autonomous agent comes precisely from its ability to act on untrusted external inputs (emails, web data, API responses) using trusted internal credentials. A prompt-injection payload embedded in a customer email, processed by an OpenClaw instance that also holds SendGrid or Slack credentials, can instruct the agent to exfiltrate the memory context to an external endpoint. This is not a theoretical attack class — it is the Claw Chain pattern Cyera documented, and it requires no exploit code, only carefully crafted content.

Enterprise appetite has not cooled. The Fortune 500 partner roster for NVIDIA's stack — Salesforce, SAP, Cisco, Atlassian, Box — signals that organizations are betting on managed security layers rather than waiting for OpenClaw's internal security posture to mature. That calculus works for teams with dedicated security engineering. As an analysis of enterprise AI billing patterns on SaaS Newslens noted, reduced per-token costs don't constrain total exposure when agent autonomy multiplies the number of tool calls per session — the attack surface scales with the AI workflow.

How to Act on This

1. Deploy OpenClaw as Infrastructure, Not a Productivity Tool

Any instance with file-system, shell, or external API access belongs behind network segmentation, principle-of-least-privilege credential scoping, and audit logging from day one. Microsoft's February 19, 2026 advisory was explicit that default configurations are insufficient for personal or corporate machines. Run instances in isolated containers with restricted outbound network access, and treat credential rotation as scheduled maintenance — not a one-time setup step. The context-window blowup risk is real too: agents with broad memory access tend to accumulate sensitive data in working context that gets logged verbatim.

2. Treat Every ClawHub Skill Install as a Production Dependency

With 800+ malicious skills flagged on the ClawHub marketplace as of April 2026, third-party plugins deserve the same scrutiny as npm packages in a production codebase — except with the additional consideration that a skill with shell access can own the host environment entirely. Review source code, pin to specific versions, and scope each skill to the minimum required permissions. The Claw Chain vulnerability chain demonstrates that a single compromised plugin can escalate to full instance compromise and persistent backdoor installation.

3. Prioritize ClawBleed Remediation Over the CVSS 9.9 Pair

As of April 2026, CVE-2026-25253 (ClawBleed, CVSS 8.8) is the only OpenClaw vulnerability confirmed actively exploited in the wild. Despite its lower numeric severity rating compared to CVE-2026-22172 and CVE-2026-32922 (both CVSS 9.9), active in-the-wild exploitation makes it the higher operational priority. Apply the ClawBleed patch first, follow vendor-issued hardening guides from April 2026, then treat the CVSS 9.9 pair as urgent follow-on remediations. A known-exploited lower-score CVE is more dangerous today than an unexercised maximum-score one.

Frequently Asked Questions

What is the difference between OpenClaw and ChatGPT for business workflow automation?

ChatGPT generates text responses inside a session that ends when the tab closes — it has no persistence, no scheduled execution, and no direct system access. OpenClaw runs as a persistent process, executes tasks on schedules, calls external APIs, reads and writes files, and retains memory across sessions spanning weeks. The IBM Think podcast described it as the difference between a conversation and a continuously running system integrated with your infrastructure. For AI workflow automation, that means OpenClaw can run entire operational pipelines without human intervention at each step. The trade-off is that the attack surface stays open as long as the instance is running, which is typically always.

Is OpenClaw safe to run on a personal or corporate machine without special configuration?

No, according to the February 19, 2026 Microsoft Security Blog advisory, which stated explicitly that it is "not appropriate to run it on a standard personal or corporate machine" — referring to default configurations. Palo Alto Networks characterized the risk as a "lethal trifecta" of private data access, untrusted content exposure, and persistent external communications. Safe deployment requires containerization, network isolation, minimal credential scoping, and ongoing CVE patch management. Running a default instance on a standard machine with access to email and file storage carries real risk given 138+ disclosed CVEs as of April 2026 and one actively exploited vulnerability in that set.

What are the main security risks of using OpenClaw in a production AI workflow?

Three risk categories dominate the research. First, prompt injection: because OpenClaw processes external content (emails, web pages, API responses) and executes LLM-interpreted instructions from that content, adversarial inputs embedded in external data can hijack the agent's action queue. Second, supply-chain compromise: the ClawHub marketplace has had 800+ malicious skills flagged as of April 2026, and a plugin with shell access effectively owns the host. Third, memory poisoning: unlike stateless chatbots, OpenClaw retains context across sessions — a successful memory poisoning attack has durable effects beyond the initial session. The Claw Chain vulnerability class identified by Cyera researchers combines all three vectors into a single chained exploit path.

How much does it actually cost to run an OpenClaw autonomous agent at startup scale?

OpenClaw itself is open-source, so the software license cost is zero. Operational costs break into three categories: LLM API fees (since OpenClaw uses external models like Claude, GPT-4, or DeepSeek as its reasoning layer, and each agent action generates inference calls), infrastructure costs for running persistent instances with appropriate isolation, and — for any production deployment — security tooling costs. The 180 startups generating $320,000 or more per month in revenue as of June 2026 are operating at scale that implies meaningful LLM API spend per automated workflow. For smaller deployments using lower-cost or local inference, the dominant cost is engineering time: setup, containerization hardening, and ongoing CVE patch management rather than per-token fees.

My read: OpenClaw's 138+ CVEs in roughly six months are less a sign of a fundamentally broken codebase and more a sign of what happens when security review capacity fails to scale with adoption velocity — a problem every major open-source infrastructure project has hit eventually, just rarely this fast. When I look at the combination of NVIDIA's Fortune 500 partnership roster and Microsoft's explicit advisory against default deployments, the honest synthesis is that OpenClaw is production-ready for organizations with dedicated security engineering, an auditable deployment process, and a team willing to treat it like the infrastructure-layer system it actually is — and a genuine liability for everyone else who connects it to live credentials and walks away. The use cases are compelling and real. The failure modes are not hypothetical. Those two facts need to be held together.

Disclaimer: This article is editorial commentary based on publicly reported security research, vendor advisories, and industry coverage. It does not constitute legal, security, or professional consulting advice. Organizations should consult qualified security professionals before deploying autonomous AI systems in production environments. Research based on publicly available sources current as of July 5, 2026.