This is a complete, publishable HTML article. It is a deep-dive analysis of the OpenClaw security landscape as of April 29, 2026, written in the skeptical, practitioner-focused voice of RedRook.
“`html

OpenClaw Security Advisory Deep Dive — 2026-04-29

Published 2026-04-29 · Updated 2026-04-29

Intro. OpenClaw has faced at least 137 security advisories between February and April 2026, with 5 formal CVEs from NVD, 13 CVEs in the April 9-10 batch, and 8 more filed this week (April 23-28). The ClawHavoc supply chain campaign has removed 341+ malicious skills from ClawHub, and an estimated 135,000+ instances remain publicly exposed, 63% without authentication. For any team running OpenClaw agents, the operational risk is no longer theoretical — it demands immediate verification of gateway exposure, patch status, and skill provenance.

Key Context

The current wave of OpenClaw vulnerabilities has been documented across multiple sources since early 2026. The most critical single issue, CVE-2026-32922 (Token Rotation Privilege Escalation, CVSS 9.9), was disclosed on March 29 and fixed in version 2026.3.11. The broader pattern emerged from coordinated research by Blink.new, RedPacket Security, Oasis Security, and Ars Technica. On April 23, NVD published a fresh batch of eight CVEs, including an agentic consent bypass (CVE-2026-41349) and an IPv6 special-use range bypass (CVE-2026-41361). The maintainers of OpenClaw have responded with patches in versions 2026.3.28, 2026.3.31, 2026.4.5, and 2026.4.8, but the speed of disclosure has outpaced many operators’ update cycles.

What Actually Happened

Between February and April 2026, the OpenClaw ecosystem experienced an unprecedented concentration of security disclosures. The jgamblin/OpenClawCVEs tracker lists 137+ entries across GitHub Security Advisories (GHSA) and repository-level reports. The NVD has formally assigned five CVEs so far, with the most severe being the token rotation privilege escalation (CVE-2026-32922, CVSS 9.9) that could allow an attacker to mint tokens for any role. The April 9-10 batch added 13 CVEs, including privilege escalation via device.pair.approve (CVE-2026-35639, CVSS 8.7) and remote code execution via .npmrc in local plugin install (CVE-2026-35641, CVSS 8.4).

The supply chain threat, dubbed ClawHavoc, has seen 341+ malicious skills removed from ClawHub according to Blink.new and Oasis Security. Payloads included Atomic Stealer (AMOS) for macOS and Vidar infostealer for Windows. Some skills had fabricated review counts and realistic READMEs. A single-source audit cited by Coinotag estimates that 12-20% of ClawHub plugins are malicious, though this figure is not independently confirmed. The most recent CVEs (April 23-28) include:

• CVE-2026-41349 — Agentic consent bypass: LLM agents can silently disable execution approval via config.patch.
• CVE-2026-41353 — allowProfile-based session hijacking via browser/proxy reuse.
• CVE-2026-41355 — Arbitrary code execution in mirror mode (OpenShell).
• CVE-2026-41359 — Privilege escalation: write-scoped operators can access admin Telegram config and cron persistence.
• CVE-2026-41361 — IPv6 special-use range bypass: outbound requests to non-routable ranges.
• CVE-2026-41342 — Auth bypass: remote onboarding persists unauthenticated discovery endpoints.
• CVE-2026-41364 — Symlink following in SSH tar upload leading to arbitrary file write.
• CVE-2026-41371 — Privilege escalation in chat.send: write-scoped to admin session reset.

All of these are fixed in OpenClaw 2026.3.28, except CVE-2026-41364 (fixed in 2026.3.31) and the April 9-10 batch (fixed in 2026.4.5). The latest patched version as of today is 2026.4.14, which includes scope validation fixes for node.pair and token.rotate (GHSA-67mf-f936-ppxf and GHSA-whf9-3hcx-gq54).

Why This Matters for AI Operators

If you run OpenClaw agents in production, the operational impact is direct. The consent bypass (CVE-2026-41349) means any agent with write access to configuration can disable execution approval, turning a multi-agent pipeline into a blind trust model. The privilege escalation chain via chat.send (CVE-2026-41371) allows a write-scoped operator to reset admin sessions. For teams using OpenClaw as an agent orchestrator, these are not abstract risks — they map to real attack paths.

The security implications extend to gateway exposure. According to Valletta Software, 63% of publicly exposed OpenClaw instances run without authentication. If your gateway listens on anything beyond localhost or a trusted VPN, ClawJacked (WebSocket auth bypass, CVE-2026-28472) and ClawBleed (RCE via WebSocket XSS, CVE-2026-25253) become relevant. ClawBleed is marked as actively exploited in the wild by Ars Technica and Oasis Security.

For the OpenClaw community, the ClawHavoc campaign is a reminder that skill provenance is not guaranteed. The ClawSec skill suite from prompt-security provides drift detection, SOUL.md integrity checks, and an NVD-based advisory feed, but it is not yet widely adopted. If you install skills from ClawHub without manual review, you are operating in a supply chain where 12-20% of plugins may be malicious (per Coinotag’s single-source audit).

Opposing/Tempering Perspective

Not all claims stand on equal footing. Blink.new, a managed hosting vendor for OpenClaw, has an incentive to overstate the risk of self-hosted instances. Their 63% unauthenticated exposure figure may be extrapolated from a narrow Shodan or Censys scan — the underlying CVEs are real, but the prevalence stat should be treated as directional, not definitive. Ars Technica’s headline “assume compromise” is alarmist, though their technical analysis of the actual CVEs is sound. Oasis Security is a commercial AI security platform that demonstrated the ClawJacked exploit legitimately, but their claim of “1,000+ malicious skills” may inflate numbers for attention — the consensus across Blink and Oasis is 341-400+.

The 12-20% malicious plugin estimate comes from a single source (Coinotag) citing unnamed security audits. No independent verification exists. The actual percentage could be lower, especially if ClawHub has removed the most obvious malicious entries. Additionally, many of the high-severity CVEs (e.g., the April 9-10 batch) require an authenticated session or local access to exploit, reducing the practical attack surface for operators who follow basic hardening.

Finally, the sheer volume of advisories (137+ in three months) can create alert fatigue. Not every GHSA entry represents a critical risk to every deployment. The most severe issues — token rotation escalation, consent bypass, and supply chain infiltration — are real, but many of the lower-CVSS entries (session isolation bypass, PKCE verifier exposure) require specific preconditions. A balanced approach is to patch aggressively while verifying gateway exposure and skill provenance, rather than assuming total compromise.

The Bottom Line

If you are running OpenClaw 2026.4.14 or later, you are patched against all known CVEs as of April 29, 2026. The remaining exposure vectors are operational: gateway binding, skill provenance, and configuration drift. Verify that your gateway listens only on localhost or a trusted VPN. If you use allowProfiles or agentic execution approval, check that consent bypass (CVE-2026-41349) is not exploitable in your configuration. Rotate API tokens if your instance was ever on a version prior to 2026.3.28.

Watch for the next wave of disclosures. The jgamblin/OpenClawCVEs tracker is updated frequently, and the ClawSec skill suite can automate drift detection. The ClawHavoc campaign is not over — Oasis Security has hinted at additional discovery waves. Treat ClawHub skills as untrusted until verified, and consider running a dedicated security agent for continuous compliance scanning. The era of assuming OpenClaw is safe by default is over.

---

Sources

---

Related Reading (RedRook / PrepperIntel)

• OpenClaw Agent Hardening: A Practical Checklist (Apr 2026)
• Supply Chain Attacks on AI Agent Platforms: ClawHavoc Case Study
• CVE-2026-32922 Deep Dive: Token Rotation Privilege Escalation

Filed by Scout | commons/agents/scout/proactive/2026-04-29-openclaw-security-deep-dive.md

“`