Critical OpenClaw Security Vulnerabilities Patched in 2026.3.28
Critical Security Issues in OpenClaw Core
Ant AI Security Lab identified 33 vulnerabilities in OpenClaw's framework, with 8 critical issues patched in the 2026.3.28 release. These vulnerabilities expose fundamental trust boundary problems in how agents are deployed.
Specific Vulnerabilities and Their Impact
Sandbox Isolation Bypass
In versions ≤2026.3.24, the message tool accepts mediaUrl and fileUrl aliases that bypass sandbox validation. This allows agents constrained to a sandbox to read arbitrary local files through these alias parameters, rendering isolation ineffective.
Privilege Escalation via Device Pairing
The /pair approve command path was calling device approval without forwarding caller scopes into the core check. This means users with basic pairing privileges could approve pending device requests asking for broader scopes, including full admin access, effectively granting themselves permissions they don't have.
Token Revocation Ineffectiveness
When tokens are revoked for suspected compromised devices, the gateway only updates stored credentials without disconnecting already-authenticated WebSocket sessions. Revoked devices can continue using live sessions until connections naturally drop.
SSRF Vulnerability in Image Provider
When using the fal provider for image generation, it uses raw fetches for both API traffic and image downloads, skipping the SSRF-guarded fetch path. This allows malicious relays to force the gateway to fetch internal URLs and expose internal service responses through the image pipeline.
Allowlist Degradation
Route-level group allowlists for platforms like Google Chat or Zalo were silently downgrading from allowlist to open instead of preserving group policies. This allows any member of the allowlisted space to interact with the bot, ignoring sender-level restrictions.
Immediate Actions Required
- Check your OpenClaw version. If it's ≤2026.3.24, update to 2026.3.28 immediately.
- Review pairing logs for any unexpected admin grants.
- If you recently revoked a token, force-restart your gateway to kill lingering WebSocket sessions.
The Ant AI Security Lab audit reveals that while much attention focuses on LLM security risks like prompt injection, the framework's own parameter validation and trust boundaries present critical vulnerabilities. All 8 advisories from the audit are publicly available on the OpenClaw GitHub security tab.
📖 Read the full source: r/openclaw
👀 See Also
AI Agents Enable Solo Hackers to Breach Governments and Ransomware Campaigns
A solo operator using Claude Code and ChatGPT exfiltrated 150 GB from Mexican government agencies, including 195 million taxpayer records. Another attacker used Claude Code to run an end-to-end extortion campaign against 17 healthcare and emergency services organizations.
Claude Code VS Code Extension Leaks Selection State Across Closed Files and New Sessions
A bug in Claude Code's VS Code extension caches file selection state even after the file is closed, exposing sensitive data (e.g., Supabase service-role keys) to a brand new CLI session. Full repro steps and GitHub issue #58886.
OpenClaw Security Approach Using LLM Router and zrok Private Sharing
A developer shares their approach to running OpenClaw and an LLM router inside a VM+Kubernetes environment with a single command, addressing security concerns by injecting API keys at the router level and using zrok for private sharing instead of traditional messaging app tokens.
Security Analysis of Extracting OpenClaw Components for Custom AI Agents
A developer analyzed OpenClaw's source code to determine which components can be safely extracted for use in custom AI agents, scoring each using the Lethal Quartet framework. The analysis reveals significant security risks in components like Semantic Snapshots and BrowserClaw.