Overview
OpenClaw launched with 60,000 GitHub stars in its first 72 hours. Six weeks later, it has a critical security vulnerability. CVE-2026-25253 carries a CVSS score of 8.8 and enables remote code execution on any host running an exposed OpenClaw instance. Security researchers have identified 135,000 exposed instances on public IP addresses, of which more than 50,000 are directly vulnerable to the unpatched exploit.
The ClawHub community marketplace compounds the problem. Of 2,857 skills listed on the platform, 341 have been flagged as malicious. That is 12 percent: roughly 1 in 8 skills a user might download and execute. The combination of a remotely exploitable host vulnerability and a compromised package ecosystem is the kind of security crisis that can permanently damage a project's reputation.
CVE-2026-25253: critical RCE with CVSS 8.8, affecting 50,000+ instances
The RCE Vulnerability
The vulnerability works through OpenClaw's message processing pipeline. The agent receives messages from connected messaging platforms (Slack, Telegram, Discord, and others) and processes them to determine what actions to take. A specially crafted message payload can bypass the input validation layer and reach code execution pathways that were intended only for internal use. The result is arbitrary code execution running with the permissions of the OpenClaw process on the host server.
The reason this vulnerability exists is architectural. OpenClaw, like all messaging-connected AI agents, must parse and execute instructions that arrive over channels it does not fully control. A user's Slack workspace might be compromised. A public Telegram channel might contain injected payloads. The attack surface is every message from every platform the agent is connected to. Defending it requires treating all incoming data as untrusted, which is harder than it sounds when the agent's entire value proposition is acting on instructions it receives.
The vulnerability was discovered by a researcher at Trail of Bits who published a proof-of-concept exploit alongside the CVE disclosure. The proof of concept is public, which means the window between disclosure and exploitation by malicious actors is measured in hours, not days. Users running exposed instances should treat the situation as urgent.
The ClawHub Problem
ClawHub is the community marketplace where users publish and download skills, the code packages that extend what OpenClaw can do. The concept is compelling: instead of every user reinventing the same integrations, a shared library builds up over time. The execution has a serious problem. Skills are code that runs on the user's server with the same permissions as the agent. Publishing a malicious skill is publishing malware with a friendly description.
The 12 percent malicious rate breaks down into several categories based on security research: data exfiltration skills that quietly copy files to external servers, credential harvesting skills that scan for API keys and tokens in the local environment, and backdoor skills that establish persistent remote access channels. Some malicious skills are straightforward fakes, named after popular legitimate integrations but doing something harmful instead. Others are subtler, functioning as advertised while quietly executing harmful secondary operations.
The scale is alarming. A 12 percent rate means that any user who has installed even a handful of ClawHub skills has a meaningful probability of running malware. The OpenClaw team has begun removing flagged skills, but the review process was not built to handle a marketplace of this size. Manual review cannot keep up with automated publishing.
How to Tell If Your Instance Is Vulnerable
The first check is whether your OpenClaw port is reachable from the public internet. Run a port scan against your server's public IP on the port OpenClaw uses (default 8080, but check your configuration). If the port responds from outside your network without authentication, you are in the 135,000. The immediate mitigation is to put the port behind a firewall rule that allows only your specific IP address or IP range.
The patch for CVE-2026-25253 is available in OpenClaw version 0.9.4 and above. Check your running version with the admin interface or by inspecting the Docker image tag. If you are below 0.9.4, update before doing anything else. The update process via Docker is a pull and restart: pull the latest image, stop the running container, start a new one with the updated image. Data is preserved if you have correctly mounted a persistent volume for the data directory.
For ClawHub skills, the recommendation is to audit every skill you have installed. The OpenClaw team has published a list of confirmed malicious skill identifiers. Cross-reference your installed skills against that list and remove any matches. If you have skills that are not on the confirmed list but that you installed from unknown publishers, treat them with suspicion. The safest path for any skill not from a well-known source is removal and reinstallation from a verified version once the ClawHub review process catches up.
The Design Flaw That Made This Inevitable
An always-on agent with persistent messaging access is inherently a high-value attack target. It runs continuously, it has credentials to multiple services, it can execute code, and it receives instructions from channels that are not fully trusted. This is not a criticism of OpenClaw specifically. It describes the fundamental security challenge facing any product in this category, including Claude Code, AutoGPT, and every other agent framework.
The trust model problem is specific: the agent must act on instructions to be useful, but it cannot always verify that instructions are legitimate. A compromised Slack workspace can send fake instructions to an agent configured to act on messages from that workspace. A social engineering attack that gets a malicious message into a channel the agent monitors achieves code execution without touching the CVE. The input validation vulnerability that CVE-2026-25253 describes is a specific instance of a general problem that patching alone cannot fully resolve.
The architectural fix requires a permission model that is more granular than most current agent frameworks implement. Every action the agent can take should require explicit user-granted authorization. Instructions from messaging platforms should be treated as low-trust by default, with elevated trust only for verified authenticated channels. Skill execution should happen in isolated containers that cannot access the host filesystem or network beyond what the specific skill requires. Some of these controls exist in OpenClaw's security-focused build. Most installations use the default configuration, which does not enable them.
