The OpenClaw security crisis of early 2026 didn't happen overnight. It was the predictable result of architectural decisions, rapid growth, and a security model that was never designed for the scale it reached. This is the complete timeline, reconstructed from CVE databases, security researcher disclosures, and community incident reports.
October-November 2025: The Rise
OpenClaw launched on GitHub in late October 2025 as an open-source personal AI agent. The pitch was compelling: a single tool that could manage your digital life — email, calendar, files, web browsing, messaging — through natural language commands.
Within two weeks, it crossed 10,000 GitHub stars. By early November, it hit 50,000. The growth was driven by viral demo videos showing OpenClaw autonomously handling complex tasks: "book me a flight to Tokyo for under $800," "review my pull requests and summarize the changes," "set up a development environment for this project."
ClawHub, the skill marketplace, launched in November with 200 skills. By late November, it had over 1,000. The ecosystem was growing faster than anyone, including the OpenClaw team, expected.
December 2025: Early Warnings
Security researchers began raising concerns in December. The issues were well-known vulnerability classes:
- •OpenClaw's gateway bound to 0.0.0.0 by default, exposing it to the internet
- •Skills ran with full OS-level permissions — no sandboxing, no capability restrictions
- •The WebSocket interface didn't validate Origin headers
- •Authentication relied on bearer tokens with no expiration
These concerns were filed as GitHub issues. The OpenClaw team acknowledged them and added them to the roadmap. No patches were released — the team was focused on features and ecosystem growth.
By late December, OpenClaw had 100,000 stars and over 100,000 active instances worldwide.
January 14, 2026: CVE-2026-25253
The first major vulnerability dropped. A security researcher published a proof-of-concept exploit demonstrating Cross-Site WebSocket Hijacking. By visiting a malicious webpage, an attacker could steal the authentication token of any OpenClaw instance accessible from the victim's browser.
CVSS score: 8.8 (High). Classification: CWE-669, Incorrect Resource Transfer Between Spheres.
The OpenClaw team initially described it as a "known limitation of the WebSocket architecture." The security community described it as a critical remote code execution vulnerability.
January 27-31, 2026: ClawHavoc Begins
Security firm Koi Security detected the first wave of malicious skills on ClawHub. The campaign, later named ClawHavoc, had been planting malicious skills since January 27th. Activity surged on January 31st.
Initial findings: 341 malicious skills across ClawHub's registry of 2,857 total skills. Approximately 12% of the marketplace was compromised.
The malicious skills were sophisticated: professional documentation, legitimate functionality overlaying data exfiltration payloads, and artificially inflated star counts through fake accounts.
January 30, 2026: First Patch
OpenClaw released version 2026.1.29, patching CVE-2026-25253 with Origin header validation on WebSocket connections. The patch was effective for the specific vulnerability but didn't address the underlying architectural issues.
By this point, Shodan scans showed 42,000+ OpenClaw instances exposed to the internet. An estimated 63% were running unpatched versions.
February 1-3, 2026: Public Disclosure
Koi Security publicly disclosed the ClawHavoc campaign on February 1st. On February 3rd, CVE-2026-25253 received its formal public disclosure.
The combination of the CVE disclosure and the ClawHub attack made simultaneous headlines. Media coverage framed it as a systemic crisis rather than isolated incidents. XDA Developers published "Please Stop Using OpenClaw." The Hacker News thread reached 2,000+ comments.
February 4-16, 2026: Expansion
The situation worsened:
- •February 4: CVE-2026-24763 disclosed — command injection through prompt processing
- •February 7: CVE-2026-26322 disclosed — SSRF allowing internal network scanning
- •February 10: CVE-2026-26329 disclosed — path traversal enabling arbitrary file reads
- •February 16: Koi Security's expanded scan found 824 malicious skills across an expanded registry of 10,700+ skills. Copycat attackers had joined the original ClawHavoc campaign.
SecurityScorecard's STRIKE team published their exposure map: 135,000+ OpenClaw instances across 82 countries, with over 15,000 directly vulnerable to remote code execution.
March 2026: The Flood
Between March 18th and March 21st, nine additional CVEs were disclosed in four days. The vulnerabilities ranged from authentication bypass to privilege escalation to prompt-injection-driven code execution.
One of the March CVEs scored 9.9 on the CVSS scale — near-maximum severity. Six were rated high, two medium.
The nine-CVE flood wasn't a coordinated disclosure. Multiple independent security researchers had been auditing OpenClaw since January, and their findings matured simultaneously. The OpenClaw team was patching faster than at any point in the project's history, but the vulnerability discovery rate exceeded the patch rate.
By late March, the total CVE count reached 31, with hundreds of additional security advisories pending CVE assignment.
The Industry Response
The crisis prompted responses beyond the OpenClaw project:
- •NVIDIA launched NemoClaw at GTC (March 16th), providing container-level isolation for OpenClaw deployments
- •Cisco published a blog post titled "Personal AI Agents like OpenClaw Are a Security Nightmare"
- •OWASP began developing an AI Agent Security Top 10
- •GitHub introduced enhanced scanning for AI agent repositories
- •Enterprise security teams began auditing their AI agent deployments, with many banning OpenClaw from corporate networks
The Migration Wave
ZeroClaw's download numbers spiked 400% in February. Other alternatives — NanoClaw, Moltis, IronClaw — saw similar surges. The community was looking for architecturally secure alternatives, not just patched versions of the same architecture.
Lessons
The OpenClaw crisis teaches four lessons that apply to every AI agent framework:
1. Architecture determines security ceiling. No amount of patching can make a fundamentally permissive architecture secure. OpenClaw's skill model, WebSocket trust model, and permission model were designed for developer convenience, not security. Each patch addressed a symptom; the architecture remained the vulnerability.
2. Growth without security creates compound risk. Each month of rapid growth without security investment increased the blast radius of eventual vulnerabilities. By the time the first CVE dropped, 42,000 instances were exposed. Security debt compounds like financial debt — the interest payments eventually exceed the principal.
3. Marketplaces are attack surfaces. Any system that allows users to install third-party code is a supply chain attack vector. The question isn't whether the marketplace will be attacked, but whether the architecture limits the damage when it is.
4. Default configurations are the real security posture. Users don't read security guides. They install software, accept defaults, and start using it. If the default is insecure (binding to 0.0.0.0, no permission restrictions, full OS access for plugins), that's the deployed security posture. Security must be the default, not the option.
The AI agent space learned these lessons in 2026. The question is whether it remembers them.