Vao thang 1 nam 2026, nhom nghien cuu bao mat Horizon Labs cong bo CVE-2026-25253: mot lo hong thuc thi ma tu xa trong OpenClaw voi diem CVSS 8.8. Ke tan cong co the thuc thi ma tuy y tren bat ky may nao co instance OpenClaw co the truy cap qua mang. Khong can xac thuc.
Ba ngay sau do la CVE-2026-26327: bo qua xac thuc cho phep ke tan cong vuot qua hoan toan cac kiem soat truy cap cua OpenClaw.
Dieu gi da xay ra
OpenClaw duoc xay dung tren Node.js voi kien truc plugin qua ClawHub. Cac nha nghien cuu bao mat phat hien 41,7% ky nang ClawHub duoc phat hanh chua lo hong. Hang tram cai la doc hai ro rang.
Lo hong nam trong viec trien khai WebSocket cua OpenClaw. Cac tin nhan khong duoc xac thuc day du truoc khi chuyen den runtime plugin, cho phep ke tan cong chen ma duoc thuc thi voi quyen cua tien trinh OpenClaw.
Tai sao kien truc la van de
OpenClaw tai plugin dong va thuc thi chung trong tien trinh cua chinh no, voi quyen truy cap vao tat ca thong tin xac thuc, tep va mang. Day khong phai la loi trien khai co the va. Day la van de kien truc.
Cac lua chon thay the an toan
ZeroClaw duoc viet bang Rust va su dung kien truc dua tren trait thay vi he thong plugin. Cac kenh va cong cu moi duoc bien dich vao binary, khong duoc tai dong. Khong co kha nang chen ma, khong co tan cong chuoi cung ung qua marketplace.
Muc su dung bo nho la 4 MB khi nhan roi. Thoi gian khoi dong duoi 10 mili giay. Khong co CVE. Binary 12 MB khong co phu thuoc ben ngoai.
PicoClaw la fork dua tren Python uu tien su don gian. Toan bo co so ma du nho de doc trong mot buoi chieu. Ho tro nam kenh va khong duoc thiet ke cho san xuat quy mo lon.
Phai lam gi ngay bay gio
Neu ban dang su dung OpenClaw va no co the truy cap qua mang, hay tat no cho den khi ban co the di chuyen. CVE-2026-25253 khong yeu cau xac thuc va rat de khai thac.
Cong cu di chuyen cua ZeroClaw nhap lich su cuoc tro chuyen, cau hinh kenh va cai dat nha cung cap AI. Qua trinh mat khoang 20 phut.