Is OpenClaw safe to use in 2026?

Not with default settings. OpenClaw has had six GitHub Security Advisories in three weeks, 512 vulnerabilities in its first security audit, 341 confirmed malicious skills on ClawHub, and over 42,000 publicly exposed instances. It can be made safer by running on an isolated cloud VM with loopback binding, Docker sandboxing, strict tool allowlists, and burner accounts — but no configuration eliminates all risk.

What is CVE-2026-25253?

CVE-2026-25253 is a critical vulnerability (CVSS 8.8) in OpenClaw that enables one-click remote code execution through cross-site WebSocket hijacking. A victim who visits a malicious web page has their authentication token stolen in milliseconds. It was patched in version 2026.1.29.

ClawHavoc is a coordinated malware campaign that planted 335 malicious skills on ClawHub. The skills disguised themselves as cryptocurrency wallets and YouTube utilities, delivering Atomic macOS Stealer (AMOS). All 335 skills shared the same command-and-control infrastructure at IP 91.92.242.30.

How many OpenClaw instances are exposed on the internet?

As of February 2026, SecurityScorecard identified over 135,000 unique IPs running exposed OpenClaw instances across 82 countries, with 12,812 exploitable via remote code execution.

What happened with Moltbook?

Moltbook exposed approximately 1.5 million API authentication tokens, 35,000 email addresses, and 4,000 private messages because its Supabase database had Row Level Security disabled. The fix required just two SQL statements.

Why did OpenClaw change its name?

OpenClaw was originally called Clawdbot. Anthropic's trademark team forced a rename to Moltbot on January 27, 2026. The developer then rebranded to OpenClaw on January 29, 2026.

Did any governments issue warnings about OpenClaw?

Yes. Belgium's Centre for Cybersecurity, China's MIIT, and South Korea's major tech companies all issued warnings. Gartner recommended enterprises block OpenClaw downloads and traffic immediately.

Is OpenClaw safe to use in an enterprise?

No. Gartner classified OpenClaw as insecure by default. Noma Security reported 53% of enterprise customers gave OpenClaw privileged access over a single weekend. Security researchers universally recommend against enterprise deployment without extensive hardening.

3 posts tagged with "CVE"

Common Vulnerabilities and Exposures documentation

View All Tags

Langflow Got Hacked Twice Through the Same exec() Call. Your AI Stack Probably Has the Same Problem.

March 22, 2026 · 15 min read

Dhayabaran V

Barrack AI

Langflow fixed a critical RCE last year. Attackers just found the same unsandboxed exec() call on a different endpoint, and exploited it in 20 hours flat, with no public proof-of-concept code.

CVE-2026-33017 (CVSS 9.3, Critical) is an unauthenticated remote code execution vulnerability affecting all Langflow versions through 1.8.1, fixed in 1.9.0. Within 20 hours of the advisory going public on March 17, 2026, attackers built working exploits from the advisory text alone and began harvesting API keys for OpenAI, Anthropic, and AWS from compromised instances.

The important part for anyone running AI orchestration tools: the fix for the first vulnerability (CVE-2025-3248) was structurally incapable of preventing this one, because the vulnerable endpoint is designed to be unauthenticated. This is a case study in why AI orchestration tools demand security review at the architecture level, not just the endpoint level.

Your AI Copilot Is the Newest Attack Surface

March 11, 2026 · 15 min read

Dhayabaran V

Barrack AI

Four distinct security incidents in early 2026 prove that AI assistants have become viable, weaponizable attack vectors. Researchers demonstrated zero-click data exfiltration through Excel's Copilot Agent, full system compromise via Chrome's Gemini panel, session hijacking of Microsoft Copilot Personal, and 1Password vault takeover through Perplexity's agentic browser. Each exploits the same fundamental problem: AI agents inherit broad permissions and cannot reliably distinguish legitimate instructions from attacker-controlled content. The industry data confirms the gap: 83% of organizations plan to deploy agentic AI, but only 29% feel ready to secure it.

OpenClaw is a Security Nightmare — Here's the Safe Way to Run It

February 17, 2026 · 22 min read

Dhayabaran V

Barrack AI

OpenClaw, the open-source AI agent that rocketed to 179,000 GitHub stars and triggered a Mac mini shortage, is riddled with critical vulnerabilities that have already been exploited in the wild. A one-click remote code execution flaw, 341 malware-laden skills on its marketplace, over 42,000 exposed instances on the public internet, and a vibe-coded social network that leaked 1.5 million API tokens — this is not a theoretical risk. Security researchers, government agencies, and firms from Cisco to Kaspersky have called it one of the most dangerous consumer AI deployments ever released. Yet OpenClaw remains genuinely useful. The solution is not to avoid it entirely but to run it on an isolated cloud VM where its blast radius is contained. Here's every documented vulnerability, and the exact steps to deploy it safely.