In This Article
Introduction
Between December 2025 and February 2026, OpenClaw faced a barrage of critical security disclosures. The most severe allowed one-click remote code execution; others bypassed Docker sandboxing and enabled server-side request forgery. As of February 19, 2026, version 2026.2.17 has patched all known CVEs — yet tens of thousands of misconfigured instances remain exposed to the public internet.
This article provides a comprehensive overview of the January 2026 security crisis: what was disclosed, how the vulnerabilities worked, and what you must do to protect your getting it running. For users running OpenClaw in production, the message is clear: upgrade immediately, harden your configuration, and never expose the Gateway to the public internet.
CVE-2026-25253: One-Click RCE
CVSS: 8.8 (High)
This "incorrect resource transfer between spheres" (CWE-669) vulnerability could be triggered if a user visited a malicious website while OpenClaw was running. The attack allowed exfiltration of gateway tokens, granting operator-level control over the local machine. One click, full compromise.
Root cause: The Gateway's token handling allowed cross-origin leakage when the agent's browser automation visited attacker-controlled pages. Tokens were exposed to JavaScript in the malicious page's context. An attacker could craft a page that, when loaded by the agent (or by a user whose browser shared context with the Gateway), would read the token and send it to a remote server. From there, the attacker could issue commands to the OpenClaw instance as if they were the operator.
Attack scenario: User receives a phishing email with a link. User clicks. The page loads malicious JavaScript that exploits the token leak. Within seconds, the attacker has the Gateway token. They connect to the user's OpenClaw instance, execute arbitrary shell commands, read files, and establish persistence. No malware installation required — the vulnerability was in the framework itself.
The fix: Token isolation. The Gateway now ensures tokens are never exposed to browser or cross-origin contexts. Tokens are stored in a separate process space and passed only through secure channels.
CVE-2026-24763: Docker Sandbox Bypass
CVSS: High
Researchers discovered that attackers could bypass the Docker sandboxing that many users relied on for safety. The vulnerability allowed access to the host filesystem from within the container — effectively negating the isolation that Docker was supposed to provide.
Impact: Users who believed their agent was confined to a container were actually exposed to host takeover. Malicious skills or prompt injection could read/write host files, install persistence, and access other containers. The "sandbox" was porous.
Technical details: The issue stemmed from namespace and mount configuration. A crafted sequence of operations could escape the container's view of the filesystem and access paths that should have been inaccessible. The fix involved hardening namespace isolation and removing dangerous mount options.
Lesson: Docker is a useful layer of defense, but it was never a complete solution. Defense in depth — network isolation, auth, and skill auditing — remains essential. See OpenClaw Docker for current best practices.
Other CVEs
| CVE | Score | Impact |
|---|---|---|
| CVE-2026-26322 | 7.6 | SSRF in Gateway — attacker could induce the Gateway to request internal resources |
| CVE-2026-26319 | 7.5 | Missing webhook auth (Telnyx) — unauthenticated webhooks could trigger actions |
| CVE-2026-26329 | High | Path traversal in browser file upload — could read arbitrary files via crafted uploads |
Each of these required specific conditions to exploit, but in combination with social engineering or other vulnerabilities, they significantly expanded the attack surface. The SSRF issue was particularly concerning for users running OpenClaw in cloud environments with internal metadata services.
Patch Status
Version 2026.2.17 (released February 17, 2026) includes patches for all known CVEs. Key fixes:
- Token isolation: Gateway tokens no longer leak to browser context. Cross-origin access blocked.
- Docker: Fixed namespace isolation; host filesystem no longer accessible from container.
- Webhook auth: Telnyx and similar integrations now require authentication. Unauthenticated webhooks rejected.
- Path traversal: Input validation on file upload paths. Malformed paths rejected.
- SSRF: Gateway request handling updated to prevent internal resource access.
Action required: Upgrade immediately if running an older version. Run openclaw update or pull latest Docker image. Verify version with openclaw --version — you should see 2026.2.17 or higher.
Real-World Impact and Incidents
In the weeks following disclosure, security researchers and incident responders reported multiple compromises. In one case, an exposed Gateway (auth disabled, bound to 0.0.0.0) was used to mine cryptocurrency. In another, an attacker exfiltrated SSH keys and gained persistent access to a developer's machine. The common thread: instances that were either unpatched or misconfigured (exposed to the internet, no authentication).
The Foundation's telemetry (opt-in) suggested that as of mid-February 2026, approximately 21,000 instances remained exposed with default or no authentication. If you've ever run OpenClaw with --gateway-host 0.0.0.0 or without auth, assume compromise and rotate credentials. See 21K exposed instances for context.
Recommendations
- Upgrade to 2026.2.17 or later — non-negotiable.
- Never expose Gateway to public internet — use localhost (127.0.0.1) only. If you need remote access, use SSH tunneling or a VPN.
- Enable authentication — deprecate auth-none mode. Use API keys or OAuth.
- Run behind VPN or private network — if the agent must be reachable from other machines, isolate it.
- Audit installed skills — run SecureClaw or equivalent. Remove skills from untrusted sources. See ClawHavoc for supply chain risks.
- Rotate credentials — if you were running a vulnerable version, assume tokens may have been exposed. Generate new API keys, rotate SSH keys, change passwords.
Post-Patch Hardening Checklist
After upgrading, work through this checklist:
- Confirm version:
openclaw --version≥ 2026.2.17 - Verify Gateway binds to 127.0.0.1 only (check config)
- Enable auth; disable auth-none
- Run
openclaw secureclaw scan(or equivalent) on skills - Review HEARTBEAT.md and AGENTS.md for any tasks that fetch external URLs — ensure they're trusted
- If using Docker, pull latest image; verify no host mounts except intended
- Rotate any credentials that may have been exposed
Wrapping Up
The January 2026 security crisis was a wake-up call for the agentic ecosystem. OpenClaw's "god-mode" capabilities — full system access, browser control, messaging — create a high-value target. The Foundation has responded with patches and improved defaults. Users must upgrade and harden. See OpenClaw security for full guidance and security risks for ongoing threat awareness.