When OpenClaw shipped CVE-2026-25253 in January, ~1,000 public installs were popped before the patch landed. Self-hosted AI security stopped being theoretical that month. This hub collects what we know about it.
The post-OpenClaw-crisis security baseline for any agent you self-host in 2026 looks like this: sandbox-on by default, authenticated dashboard, encrypted credential vault, explicit network egress allowlist, hash-chained audit log, working CVE disclosure channel, and a 48-hour patch SLA on critical issues.
Hermes Agent post-2026.4 ships all of those. OpenClaw 2026.4+ ships most of them. Nanobot ships none of them by design — it's a single-user codebase audited by reading. IronClaw goes further still with gVisor and SAML.
If you're not at this baseline, you're closer to the pre-2026 dangerous defaults than you think. The articles below cover the threat model, the audit checklist and the incident response playbook. The CVE archive lists every disclosed vulnerability we track. The agents and providers pages note who passes and who fails our security baseline.
Self-hosted AI security is not exotic. It's regular hygiene applied to a moderately new attack surface. The mistakes that matter are mistakes we already know how to avoid in other software.
Guides
- Self-hosted AI security playbook 2026 — the practical operator's guide — Practical security playbook for self-hosted AI agent operators in 2026. Threat model, sandbox setup, credential storage, network isolation, monitoring, incident response. Step-by-step, post-OpenClaw-crisis.
- OpenClaw security crisis 2026: what you need to know — OpenClaw shipped a one-click RCE in January 2026. ~1000 public installations were running without auth. Here's what happened, what's exposed, and what to do.
- The complete OpenClaw timeline (Nov 2025 → Apr 2026): from weekend project to 135K installs to security crisis — Long-form history of OpenClaw — Peter Steinberger's autonomous AI agent. Origin, viral growth, technical architecture, the move to OpenAI, the security collapse, and what it means for self-hosted AI in 2026.
Agents on this topic
- OpenClaw — The original viral self-hosted AI agent. Post-crisis 2026.4 line is genuinely safer; pre-2026.3 is genuinely dangerous.
- Hermes Agent — Post-OpenClaw safe default. Docker-sandboxed by default, multi-LLM, opinionated. The agent we'd hand a colleague today.
- IronClaw — Enterprise zero-trust agent. gVisor + audit logs + RBAC + SAML. $750/seat/year.
- ZeroClaw — Privacy-first. Local LLMs only. Network egress denied at iptables. AGPL-3.0.
Vulnerabilities
- CVE-2026-25253 — OpenClaw — 1-click RCE via WebSocket origin bypass
- CVE-2026-25103 — OpenClaw — credential storage in plaintext on disk
- CVE-2026-25898 — OpenClaw — credential leak via verbose error logs
- CVE-2026-23912 — MCP protocol — tool description spoofing across implementations
Terms
Sandbox · Sandboxed tool execution · Approval flow · Prompt injection · RCE (Remote Code Execution) · WebSocket origin validation · CVE-2026-25253