OpenClaw Security: CVE-2026-25253, ClawHavoc, and How to Fix Both

OpenClaw Security: CVE-2026-25253, ClawHavoc, and How to Fix Both

135,000+ OpenClaw instances exposed. CVE-2026-25253 lets attackers run code on your machine with one click. Here's what went wrong and exactly how to fix it.

By Silverthread Labs··OpenClaw security vulnerabilities 2026·OpenClaw exposed instances fix·ClawHavoc supply chain attack

OpenClaw Security: What Cisco Found and How to Fix It

If you've seen the headlines -- 135,000 exposed instances, a CVSS 8.8 remote code execution flaw, over a thousand malicious plugins in the official marketplace -- and you want to understand what's actually broken and what you need to do about it, this is that guide.

Those are not small numbers. An official marketplace with 1,184 confirmed malicious skills is not a fringe incident -- it's a systemic failure. The CVE is public, the attack campaign has a name (ClawHavoc), and the fixes are specific. They take about 30 minutes to apply.

the short version: what you need to do right now#

If your time is short, here are the three non-negotiable steps:

update to OpenClaw v2026.1.29 or later#

npm install -g openclaw@latest
openclaw --version

Verify the version is v2026.1.29 or higher before doing anything else. If it isn't, stop using the install until it is. CVE-2026-25253 allows one-click remote code execution against any unpatched instance.

rotate your gateway token and authToken immediately#

openclaw auth rotate

This invalidates any previously issued tokens. Do this even on a fresh install. If your instance ran in an unpatched state for any period of time, rotate again after patching.

audit every installed skill against the ClawHavoc indicator list#

Open your installed skills list in the ClawHub manager. Cross-reference each installed skill against the publicly published ClawHavoc indicator lists from Repello AI, eSecurity Planet, and Koi Security. Any match should be removed immediately and treated as a potential compromise. See the ClawHavoc section below for the full response procedure.

CVE-2026-25253: the 1-click remote code execution flaw#

what the vulnerability actually does#

CVE-2026-25253 is a cross-site WebSocket hijacking vulnerability in OpenClaw's local gateway. Here is the attack in plain terms:

  1. You have OpenClaw running on your machine
  2. You visit a web page controlled by an attacker
  3. JavaScript on that page opens a WebSocket connection to ws://localhost:18789 (or whichever port you're using)
  4. The gateway accepts the connection and leaks your authentication token to the page
  5. The attacker now has full administrative control of your OpenClaw instance

This is why it's called "one-click" -- the entire attack chain completes the moment you load the malicious page. No prompt. No download dialog. Just a page load.

CVSS score: 8.8 (High). Disclosed: February 1, 2026. Patched: v2026.1.29, released January 29, 2026 (per NVD / SOCRadar, February 2026).

why it works even on loopback-only installs#

This is the part that trips people up. Many users assume "I only run this on localhost, so it can't be exploited remotely." That assumption is wrong for this vulnerability class.

Cross-site WebSocket hijacking works by abusing the browser's same-origin policy gap for WebSocket connections. A web page served from any domain can open a WebSocket to localhost -- the browser does not enforce the same-origin restriction for WebSocket connection initiation (unlike XHR or fetch). The attack uses the browser itself as the exploit vehicle.

If you're running a browser on the same machine as OpenClaw -- which most users are -- your loopback-only install is reachable by any web page you visit.

  1. Attacker sends you a link (email, Slack message, social media)
  2. You open it in your browser
  3. Page JavaScript calls new WebSocket('ws://localhost:18789/ws')
  4. OpenClaw gateway accepts the connection, sends the auth token in the handshake
  5. JavaScript reads the token and forwards it to the attacker's server
  6. Attacker uses the token to connect to your gateway directly -- no further action from you required
  7. Attacker now has full access to everything OpenClaw can do: read your files, run shell commands, call your MCP tools, exfiltrate credentials stored in agent memory

The patch in v2026.1.29 adds Origin header validation. The gateway now rejects WebSocket connections from origins outside its allowed list.

which versions are affected and which are patched#

  • Affected: All versions prior to v2026.1.29
  • Patched: v2026.1.29 and all subsequent releases
  • Check your version: openclaw --version

135,000 exposed instances: the configuration problem behind the numbers#

how the default Docker setup leaves your gateway public#

SecurityScorecard's STRIKE team found 135,000+ internet-facing OpenClaw instances across 82 countries as of February 2026. Over 12,800 were directly exploitable via RCE, and 63% of observed deployments were running vulnerable configurations (SecurityScorecard, February 2026).

The root cause is OpenClaw's default Docker deployment script. The docker-setup.sh script binds the OpenClaw gateway to 0.0.0.0:18789 -- all network interfaces, including your public internet-facing one. Any machine on the internet can reach your gateway if your server has a public IP and no firewall rule blocking that port.

Most users who followed the default Docker tutorial -- particularly those deploying on a VPS or cloud VM -- left port 18789 open without realizing it.

what attackers can do with an unauthenticated gateway#

With an accessible gateway that lacks authentication (also a common default in some version branches), an attacker can:

  • List and read your installed skills
  • Execute tasks through OpenClaw's agent loop
  • Access any MCP tools the agent is connected to (filesystem, email, databases, shell)
  • Exfiltrate everything stored in agent memory

Authentication adds a token requirement, but as CVE-2026-25253 showed, even authenticated gateways were vulnerable to token theft via WebSocket hijacking before the patch. Both layers need to be secured.

how to check if your instance is exposed#

To check if your gateway is accessible from the internet, use an external port scanner (like Shodan's self-check tool) or ask a trusted party to attempt a connection to http://your-public-ip:18789. Or run this locally:

# On Linux/macOS, check what your gateway is bound to
ss -tlnp | grep 18789
# or
netstat -tlnp | grep 18789

If you see 0.0.0.0:18789 rather than 127.0.0.1:18789, your gateway is bound to all interfaces. Fix this in your OpenClaw config before connecting to the internet.

ClawHavoc: the supply chain attack that poisoned ClawHub#

how 1,184 malicious skills got published to the official marketplace#

ClawHub, OpenClaw's official skills marketplace, was hit by a coordinated supply-chain attack campaign. Repello AI's threat research team named it ClawHavoc.

The attack exploited the same dynamic that makes viral open-source projects vulnerable: rapid growth outpacing security review. ClawHub went from a small curated list to thousands of community-submitted packages in weeks, and the vetting process couldn't keep up.

By March 1, 2026, researchers had confirmed 1,184 malicious skills. Repello AI traced 335 of them to a single threat actor. As of February 16, 2026, over 824 remained discoverable under variant names with core campaign infrastructure still active (eSecurity Planet / PointGuard AI / Koi Security, February-March 2026).

what ClawHavoc skills actually do once installed#

The delivery mechanism is social engineering:

  1. You install what looks like a legitimate skill (a calendar tool, a web search integration, a productivity helper)
  2. The skill surfaces a fake error: "Installation failed -- run this diagnostic command to fix it"
  3. The "diagnostic command" is a base64-encoded shell payload
  4. Decoding and running it downloads and executes Atomic Stealer (AMOS) -- macOS-targeting malware

AMOS exfiltrates:

  • Browser credentials and session tokens (Chrome, Safari, Firefox, Brave)
  • Keychain data and SSH keys
  • Telegram desktop session data
  • Cryptocurrency wallet files and seed phrases

The primary wave targeted macOS, but variant skills targeting Linux were identified in subsequent research.

how to identify and remove affected skills from your install#

Open your ClawHub skill manager and pull your full installed skill list. Cross-reference it against the ClawHavoc indicator lists from Repello AI and Koi Security -- both maintain IOC registries with affected package names and publisher hashes.

If anything matches, remove it immediately. Then rotate all browser-stored credentials, particularly anything with access to financial accounts, email, or cloud services. Check ~/.ssh/authorized_keys for unknown keys, run macOS Malware Removal Tool or your endpoint security tool, and revoke any API keys stored in your OpenClaw config.

If you're unsure whether a skill is affected, remove it anyway. Reinstalling a clean skill takes minutes. Recovering from credential theft takes considerably longer, and you won't necessarily know it's happened.

a practical hardening checklist for OpenClaw#

patch and token rotation#

  • Confirm version is v2026.1.29 or later: openclaw --version
  • If not patched, run npm install -g openclaw@latest immediately
  • Rotate all auth tokens: openclaw auth rotate
  • Restart the gateway after patching and rotating

gateway authentication and origin validation#

  • Confirm authentication is required: openclaw config get gateway.requireAuth
    • If false or empty: openclaw config set gateway.requireAuth true
  • Set allowed origins to localhost only: 
    openclaw config set gateway.allowedOrigins "http://localhost:18789,http://127.0.0.1:18789"
  • Restart the gateway and verify a connection from a different origin is rejected

network segmentation: home and VPS installs#

For home network installs:

  • Bind the gateway to loopback only: openclaw config set gateway.host 127.0.0.1
  • Verify the bind: ss -tlnp | grep 18789 -- should show 127.0.0.1:18789

For VPS/cloud installs:

  • Bind to loopback only (as above)
  • Add firewall rule blocking external access to port 18789 (ufw deny 18789 on Ubuntu)
  • If you need remote access, use an SSH tunnel rather than exposing the port: ssh -L 18789:localhost:18789 user@your-server

plugin vetting and ClawHub trust policy#

  • Audit all installed skills against current ClawHavoc IOC lists
  • Remove any skill that cannot be verified against a public source code repository
  • Set a personal policy: only install skills from publishers with verifiable identities and public source repos
  • Do not run any "diagnostic command" prompted by an installed skill

ongoing patch hygiene#

  • Subscribe to OpenClaw security advisories (GitHub notifications or the official security mailing list)
  • Run npm install -g openclaw@latest when security patches are released -- don't wait
  • Review new skill permissions before updating existing skills. ClawHavoc-pattern attacks have also appeared in skill updates, not just new installs.

when DIY hardening is not enough#

This checklist covers the documented threat surface for a personal OpenClaw install. For most home users running OpenClaw on a local network, following it puts you in a materially safer position than the 135,000+ exposed instances SecurityScorecard catalogued.

That said, a config file edit is not the whole job for every deployment:

If your install runs on a VPS, a home server with a public IP, or an office network where you're not the only person with access, the attack surface is different from a local home install. Network segmentation, firewall rules, and ongoing monitoring require more than a few config changes.

Multi-user deployments with access to company data need role-based access control, audit logging, documented scope of MCP tool access, and a process for rotating credentials when employees leave. None of these are in the defaults.

And any deployment handling HIPAA, SOC 2, or GDPR data needs documented hardening scope, access controls, and an audit trail -- a working install is not the same as a compliant one.

Silverthread Labs handles OpenClaw hardening as a standalone engagement and as part of our full deployment service. We patch, configure, audit installed skills against ClawHavoc indicators, and deliver a written report you can use for compliance documentation. View the OpenClaw deployment service or contact us directly to discuss your setup.

FAQ#

Is my OpenClaw install compromised right now?

If you ran a version prior to v2026.1.29 with the gateway bound to 0.0.0.0, treat it as potentially compromised. Rotate all credentials, check for unknown processes or scheduled tasks, and follow the ClawHavoc removal steps above -- even if you don't recognize any of your installed skill names.

I'm on v2026.1.29 but I never set up auth -- am I vulnerable?

You're not vulnerable to the WebSocket token theft if you're patched and have origin validation configured. But if gateway authentication is disabled, an attacker who can reach your port -- on a VPS, for instance -- can interact with your instance without credentials. Enable authentication and lock down the bind address.

Does the ClawHavoc attack affect Windows users?

The Atomic Stealer payload targets macOS. Variant skills targeting Linux were identified later. Windows users aren't categorically safe -- different payload variants have been documented -- so audit your installed skills regardless.

How do I stay informed about future OpenClaw vulnerabilities?

Watch the OpenClaw GitHub repository (github.com/openclaw/openclaw) for security advisories, and enable email notifications for releases. The disclosure process is in SECURITY.md in the main repo. SecurityScorecard's STRIKE team and Repello AI's threat research feed are also worth following for supply-chain early warning.

What does Silverthread Labs check for in a hardening engagement?

Version verification, patching, token rotation, gateway authentication enforcement, origin validation, gateway bind address and firewall verification, full installed skill audit against ClawHavoc IOC lists, MCP server permission review, and a written hardening report. For business installs we also configure RBAC, audit logging, and document the access scope for each connected MCP server.

Last updated: March 16, 2026

Back to Blog

[ More Reads ]

Related Articles

Building HIPAA-Compliant AI Systems: What You Need to Know

A technical guide to HIPAA-compliant AI: what a BAA actually covers, why cloud AI creates ePHI exposure, what self-hosted deployment requires, and how to audit your current setup.

Local AI Setup Guide: Ollama, Open WebUI & AnythingLLM (2026)

Step-by-step guide to running AI locally with Ollama, Open WebUI, and AnythingLLM. Hardware requirements, model selection, and when to upgrade to a fully managed self-hosted deployment.

Self-Hosted AI vs Cloud AI: The Honest Tradeoff Guide (2026)

Self-hosted AI wins on privacy and long-run cost. Cloud AI wins on speed and flexibility. Here's the exact decision framework -- with real cost figures, compliance requirements, and operational realities -- to pick the right path for your workload.

[ How It Works ]

Free Automation Audit

We find the 20% of your manual work that costs you the most, then show you exactly how to eliminate it.

STEP 1.0
Tell Us What Hurts

Tell Us What Hurts

A 30-minute call. Walk us through your daily operations and we'll spot the bottlenecks you've stopped noticing.

STEP 2.0
We Rank the Wins

We Rank the Wins

We score every opportunity by impact and effort, so you can see where AI saves the most time and money.

STEP 3.0
You Get the Playbook

You Get the Playbook

A prioritized roadmap you can act on. Execute it with us or on your own. Yours to keep either way.