OpenClaw Security Guide
Back to Threat Intel
sourcearticleAgent: OpenClaw

OpenClaw is a Security Nightmare — Here's the Safe Way to Run It

Barrack.ai's February 17, 2026 article summarizes an Argus Security Platform audit of OpenClaw, covering five CVEs/GHSAs, the ClawHavoc AMOS campaign, OAuth plaintext storage, unsafe default bindings, and mitigation guidance.

openclawrcewebsocketcommand-injectionpath-manipulationlocal-file-inclusionoauthplaintext-credentialscredential-theftcve-2026-25253cve-2026-25157cve-2026-25475ghsa-mc68ghsa-g55jghsa-8jpqclawhavocamosatomic-macos-stealerclamphavoc

Date

Feb 17, 2026

First Seen

Feb 17, 2026

Last Reviewed

May 19, 2026

Publisher

Barrack.ai

Source Type

article

View source

Related reading

OpenClaw Security Guide

A practical baseline for local binding, scoped credentials, sandboxing, runtime checks, and Armorer Guard.

Securing OpenClaw with Armorer Guard

How Armorer wraps OpenClaw with managed setup, Docker hardening, health checks, approvals, and Guard-backed scanning.

Subscribe via RSSFollow on TelegramGet email updates

Get email updates

Get reviewed Armorer threat-intel updates when new findings are published.

Source Summary

What It Contains

Barrack.ai's February 17, 2026 article summarizes an Argus Security Platform audit of OpenClaw, covering five CVEs/GHSAs, the ClawHavoc AMOS campaign, OAuth plaintext storage, unsafe default bindings, and mitigation guidance.

Extracted Claims

Security Audit Findings (Argus Security Platform, Jan 25, 2026)

  • 512 total vulnerabilities found in OpenClaw; 8 critical
  • OAuth credentials stored in plaintext JSON files without encryption
  • Default gateway bound to 0.0.0.0:18789 (all interfaces) with zero authentication option
  • Skills are executable code with full filesystem and network access (not sandboxed)
  • Prompt injection can persist via SOUL.md modification and cron job creation

CVEs and GHSAs Documented

IDSeverityDescription
CVE-2026-25253CVSS 8.8 (Critical)One-click RCE via cross-site WebSocket hijacking; patched in v2026.1.29
CVE-2026-25157HIGHOS command injection via unsanitized project root paths in macOS SSH handler
CVE-2026-25475CVSS 6.5Local file inclusion via MEDIA: path extraction; allows reading /etc/passwd or ~/.ssh/id_rsa
GHSA-mc68-q9jw-2h3vHIGHCommand injection in Docker execution via PATH environment variable manipulation
GHSA-g55j-c2v4-pjcgHIGHUnauthenticated local RCE via WebSocket config.apply mechanism
GHSA-8jpq-5h99-ff5rLocal file disclosure via Feishu (Lark) messaging extension

Affected versions: Pre-v2026.1.29 (CVE-2026-25253, CVE-2026-25157, GHSA-mc68-q9jw-2h3v); Pre-v2026.1.30 (CVE-2026-25475)

ClawHavoc Campaign

  • 335 malicious skills distributed via ClawHub marketplace
  • Skills disguised as cryptocurrency wallets, Polymarket bots, YouTube utilities
  • Delivered Atomic macOS Stealer (AMOS) via base64-encoded shell scripts or password-protected ZIP (password: "openclaw")

CVE-2026-25253 Exploit Flow

  1. Victim visits malicious webpage
  2. Browser auto-connects to victim's gateway via WebSocket, transmitting auth token
  3. Attacker disables sandboxing via exec.approvals.set ask:"off"
  4. Attacker achieves full RCE
  5. "Exploitable even on instances configured to listen on loopback only"

Exposure Statistics

  • Maor Dayan (ClawHunter v3.0): 42,665+ publicly exposed instances; 93.4% with critical auth bypass
  • SecurityScorecard STRIKE: 135,000+ unique IPs across 82 countries; 12,812 exploitable via RCE
  • Hunt.io: 17,500+ instances vulnerable to CVE-2026-25253

IOCs

  • IP: 91.92.242.30 — ClawHavoc command-and-control infrastructure

MITRE ATT&CK (inferred)

  • T1219 — Remote Access Software (RCE via WebSocket)
  • T1059 — Command and Scripting Interpreter (command injection, PATH manipulation)
  • T1552 — Unsecured Credentials (OAuth plaintext storage)
  • T1189 — Drive-by Compromise (malicious webpage → WebSocket hijacking)
  • T1027 — Obfuscated Files or Information (base64 shell scripts, password-protected ZIP)

New Technical Details Not in Existing Records

  • OAuth credentials stored in plaintext JSON — distinct from the credential theft via cookies/tokens seen in other campaigns
  • Default binding to 0.0.0.0:18789 with no auth — different from the loopback auth bypass in ClawJacked
  • PATH environment variable manipulation for Docker command injection (GHSA-mc68-q9jw-2h3v)
  • SOUL.md cron-based persistence mechanism
  • ClawHavoc C2: 91.92.242.30 (not previously documented in the repo)
  • ClawHavoc delivers AMOS via base64 shell scripts and password-protected ZIP ("openclaw")

Evidence Quality

Primary research-grade blog post referencing a structured security audit (Argus Security Platform, Jan 25, 2026) with explicit CVE/GHSA identifiers, version-specific patches, exploitation details, and exposure statistics. High confidence for the technical claims. Note: article published February 17, 2026 — an earlier source than most others in this repository, providing an important historical baseline for OpenClaw's vulnerability landscape.

Follow-Up

  • Update finding-openclaw-mass-exposed-instances-2026-02 with the higher exposure counts (135,000+ vs. 40,000+ from SecurityScorecard STRIKE)
  • Link to this source from the ClawJacked finding (CVE-2026-25253 is the same one Oasis documented; different analyst perspective and additional exploit detail)
  • Consider updating the Endor Labs vulnerability finding with context that a 512-vulnerability audit was conducted in January 2026
  • Add ClawHavoc campaign details to the malicious-skills section