OpenClaw

CVE-2026-25253 (CVSS 8.8) — a one-click RCE via cross-site WebSocket hijacking — was actively exploited in the wild against 135,000+ exposed instances before the patch in v2026.1.29 (January 30, 2026); as of February 2026, 28% of exposed instances remained unpatched (source: https://security.utoronto.ca/advisories/openclaw-vulnerability-notification/; https://dev.to/waxell/the-openclaw-security-crisis-135000-exposed-ai-agents-and-the-runtime-governance-gap-e26).

A total of 5 formal CVEs and 137 security advisories were tracked in the 63-day window from February–April 2026, including CVE-2026-32922 (CVSS 9.9, token rotation privilege escalation leading to RCE) — the highest-severity CVE in the project's history (source: https://blink.new/blog/openclaw-2026-cve-complete-timeline-security-history).

ClawHavoc — an ongoing supply chain attack — distributed 341+ malicious skills through the official ClawHub marketplace; these skills persist on systems even after CVE patches are applied and are not removed by updating the OpenClaw binary (source: https://blink.new/blog/openclaw-2026-cve-complete-timeline-security-history).

The default native runtime gives the agent full host access; Docker sandboxing is explicitly opt-in and must be configured manually — users who do not set sandbox mode run the agent with the same permissions as their own user account (source: https://github.com/openclaw/openclaw README; https://trust.openclaw.ai/).

Project creator Peter Steinberger joined OpenAI in February 2026 and is transitioning OpenClaw to an independent open-source foundation supported by OpenAI; the governance structure of the foundation is not yet publicly formalised, creating a stewardship transition period (source: https://steipete.me/posts/2026/openclaw; https://techcrunch.com/2026/02/15/openclaw-creator-peter-steinberger-joins-openai/).