Every OpenClaw CVE in 2026 Explained: 5 Vulnerabilities, 40K Exposed Instances | OpenClaw DC

Five CVEs have been disclosed against OpenClaw in 2026. The most critical, CVE-2026-25253 with a CVSS score of 8.8, allows full machine compromise with a single click. Over 40,000 instances were found exposed on the internet, and 63% of them were running versions vulnerable to remote exploitation. Here is what each vulnerability does, whether you are affected, and how to fix all of them.

TL;DR: Update to OpenClaw 3.22+ immediately. Run openclaw doctor. Check your gateway binding. If you do nothing else, do those three things right now.

All five OpenClaw CVEs at a glance

Two additional issues were also reported: CVE-2026-32913 (cross-origin header leak) and credential exposure through setup codes. All are patched in version 3.22 and later, which includes over 30 security fixes.

CVE-2026-25253: one-click machine compromise (CVSS 8.8)

This is the one that matters most. CVE-2026-25253 allows an attacker to steal your OpenClaw gateway authentication token by getting you to visit a crafted webpage. The attack works because older versions of the OpenClaw gateway respond to cross-origin requests without proper validation. A malicious page can silently query your local gateway, extract the auth token from the response headers, and send it to an attacker-controlled server.

Once the attacker has your gateway token, they have full control of your OpenClaw instance. They can execute arbitrary commands on your machine, read and write files, access environment variables containing API keys, and install persistent backdoors. The entire chain requires exactly one click from the victim.

The fix was a strict same-origin policy on the gateway listener plus token rotation. If you are running any version before 3.22, assume your current gateway token is compromised. Update, rotate, and bind to loopback.

openclaw update --to latest
openclaw doctor --generate-gateway-token
openclaw config set gateway.bind loopback

CVE-2026-22176: Windows command injection (CVSS 7.8)

This vulnerability affects Windows users only. OpenClaw passed certain skill arguments through cmd.exe without proper escaping. An attacker who could control a skill parameter, either through a malicious ClawHub skill or a prompt injection, could inject arbitrary Windows commands.

The attack surface is narrower than CVE-2026-25253 because it requires the user to install and run a malicious skill. But given that 341 poisoned skills were found on ClawHub through the ClawHavoc campaign, the practical risk was real. The fix sanitizes all arguments passed to the system shell on Windows.

openclaw update --to latest
openclaw skills scan --all

CVE-2026-22179: macOS remote code execution

CVE-2026-22179 targets macOS installations specifically. The vulnerability exists in how OpenClaw handles certain file type associations on macOS. A crafted skill manifest could trigger code execution through the macOS Launch Services framework without requiring explicit user approval.

This was particularly dangerous for users who had enabled automatic skill approval in their configuration. The combination of auto-approve and this vulnerability meant a malicious skill could execute native code on macOS the moment it was installed. The fix adds manifest validation and blocks Launch Services invocations from skill contexts entirely.

openclaw config set skills.auto_approve false
openclaw update --to latest

CVE-2026-32018: race condition in skill execution (CVSS 6.6)

A race condition in the skill execution pipeline allowed a skill to bypass sandboxing constraints during a narrow timing window. When multiple skills executed concurrently, the permission context from one skill could briefly leak to another. This means a low-privilege skill could inherit the permissions of a high-privilege skill running at the same time.

Exploitation required precise timing and control of at least one installed skill. The fix introduces per-execution permission tokens that are scoped and validated independently of the execution queue.

openclaw update --to latest
openclaw skills list --running

CVE-2026-32065: approval bypass (CVSS 5.7)

The lowest-severity CVE in this batch, but still worth addressing. CVE-2026-32065 allowed certain restricted actions to skip the user approval prompt under specific conditions. When a skill chained multiple sub-actions, the approval check applied only to the first action in the chain. Subsequent actions in the same chain inherited the approval without asking the user.

This meant a skill could request permission for a harmless action, get approval, and then silently execute a more sensitive action in the same chain. The fix applies approval checks to each action independently.

openclaw update --to latest
openclaw config set skills.chain_approval strict

Am I affected?

Run through this checklist:

• Check your version. Run openclaw --version. Anything before 3.22 is vulnerable to all five CVEs.
• Check your gateway binding. Run openclaw config get gateway.bind. If the result is 0.0.0.0 or anything other than loopback or 127.0.0.1, your instance is exposed.
• Check for installed ClawHub skills. Run openclaw skills list --installed. Cross-reference against the ClawHavoc list published by Cisco.
• Check auto-approve. Run openclaw config get skills.auto_approve. If it returns true, disable it immediately.
• Check your platform. Windows users are additionally exposed to CVE-2026-22176. macOS users are exposed to CVE-2026-22179.

The 40,000 exposed instances

Researchers scanning the public internet found over 40,000 OpenClaw instances with their gateways reachable from external networks. Of those, 63% were running versions vulnerable to CVE-2026-25253, meaning roughly 25,000 machines could be fully compromised by anyone who knew the gateway endpoint.

Most of these exposed instances were home lab setups, small business servers, and VPS deployments where users had changed the gateway bind address to allow remote access without understanding the security implications. Many were running default configurations with no gateway authentication token set at all.

This is not a theoretical risk. The ClawHavoc campaign actively targeted exposed instances. If your gateway has been publicly accessible at any point before updating to 3.22, treat it as compromised. Rotate all credentials, audit your file system for unauthorized changes, and check for unexpected cron jobs or launch agents.

The ClawHavoc connection

The five CVEs and the ClawHavoc campaign are separate issues, but they compound each other. ClawHavoc relied on users installing malicious skills from ClawHub. The CVEs made the damage from those skills far worse. CVE-2026-32065 let malicious skills bypass approval prompts. CVE-2026-22176 and CVE-2026-22179 gave them native code execution. CVE-2026-25253 gave attackers a way in without needing to trick users into installing anything at all.

341 malicious skills were identified and removed from ClawHub. ClawHub now integrates VirusTotal scanning for new submissions, but the supply chain risk remains. For a full breakdown of the campaign and how to vet skills, read our ClawHavoc and malicious skills deep dive.

Fix everything right now

Run these commands in order:

openclaw update --to latest
openclaw doctor
openclaw config set gateway.bind loopback
openclaw doctor --generate-gateway-token
openclaw config set skills.auto_approve false
openclaw config set skills.chain_approval strict
openclaw skills scan --all

Verify the update:

openclaw --version

You should see 3.22 or later. If openclaw doctor reports any warnings, address each one before continuing to use the instance.

For the full 14-step hardening process beyond these CVE-specific fixes, follow our OpenClaw security checklist. If you want to understand the latest patches and features shipping with current releases, see the OpenClaw 3.24 release notes.

Need help locking down your setup?

If you are running OpenClaw for your business or managing multiple instances, we can audit your configuration, patch your deployment, and set up monitoring for future vulnerabilities. Book a call and we will walk through your setup together.