Critical OpenClaw flaw exposed
What happened
AWS’s managed OpenClaw on Lightsail is affected by a critical vulnerability (CVE‑2026‑25253) that exposed over 17,500 public instances and, per Bitdefender, left more than 20% of ClawHub skills malicious — a major vector for remote code execution in agent skills reported. Startups and vendors are already shipping MicroVM/container isolation (e.g., NanoClaw) to tighten agent sandboxes and limit blast radius covered.
Why it matters
OpenClaw shipped a fix for the gateway token bug in release v2026.1.29 (published Jan 30, 2026) (open-claw.me), and followed up with a broader control‑plane refresh in v2026.3.12 (Mar 12, 2026) that lists 14 security fixes and introduces ephemeral device tokens. (openclaw.report) The National Vulnerability Database assigned CVE‑2026‑25253 a CVSS score of 8.8 and describes the root cause as the Control UI auto‑connecting to an attacker‑controlled gatewayUrl and sending stored WebSocket tokens. (nvd.nist.gov) Security researchers at Koi Security audited the ClawHub marketplace and reported 341 malicious skills out of 2,857 audited entries, with 335 tied to a single campaign dubbed “ClawHavoc” that delivered an Atomic macOS Stealer (AMOS) payload. (koi.ai) Internet scanning and threat telemetry disagree on scale: DECLAWED’s real‑time tracker shows 100,000+ exposed OpenClaw/Moltbot instances globally (declawed.io) while other scans have reported exposures in the tens of thousands (one public tally cited ~42,900). (elephas.app) Amazon added an official Lightsail blueprint for deploying OpenClaw on March 4, 2026 and the Lightsail announcement states each instance includes “built‑in security controls” and session sandboxing out of the box. (aws.amazon.com) NanoClaw’s maintainers announced a partnership with Docker on March 13, 2026 to run each agent inside disposable MicroVM‑backed Docker Sandboxes (per‑agent containers inside micro VMs with separate kernels) as an isolation-first mitigation strategy. (docker.com)
Key numbers
- (openclaw.report) The National Vulnerability Database assigned CVE‑2026‑25253 a CVSS score of 8.8 and describes the root cause as the Control UI auto‑connecting to an attacker‑controlled gatewayUrl and sending stored WebSocket tokens.
- (nvd.nist.gov) Security researchers at Koi Security audited the ClawHub marketplace and reported 341 malicious skills out of 2,857 audited entries, with 335 tied to a single campaign dubbed “ClawHavoc” that delivered an Atomic macOS Stealer (AMOS) payload.
- (elephas.app) Amazon added an official Lightsail blueprint for deploying OpenClaw on March 4, 2026 and the Lightsail announcement states each instance includes “built‑in security controls” and session sandboxing out of the box.
Quick answers
What happened in Critical OpenClaw flaw exposed?
AWS’s managed OpenClaw on Lightsail is affected by a critical vulnerability (CVE‑2026‑25253) that exposed over 17,500 public instances and, per Bitdefender, left more than 20% of ClawHub skills malicious — a major vector for remote code execution in agent skills reported. Startups and vendors are already shipping MicroVM/container isolation (e.g., NanoClaw) to tighten agent sandboxes and limit blast radius covered.
Why does Critical OpenClaw flaw exposed matter?
OpenClaw shipped a fix for the gateway token bug in release v2026.1.29 (published Jan 30, 2026) (open-claw.me), and followed up with a broader control‑plane refresh in v2026.3.12 (Mar 12, 2026) that lists 14 security fixes and introduces ephemeral device tokens. (openclaw.report) The National Vulnerability Database assigned CVE‑2026‑25253 a CVSS score of 8.8 and describes the root cause as the Control UI auto‑connecting to an attacker‑controlled gatewayUrl and sending stored WebSocket tokens. (nvd.nist.gov) Security researchers at Koi Security audited the ClawHub marketplace and reported 341 malicious skills out of 2,857 audited entries, with 335 tied to a single campaign dubbed “ClawHavoc” that delivered an Atomic macOS Stealer (AMOS) payload. (koi.ai) Internet scanning and threat telemetry disagree on scale: DECLAWED’s real‑time tracker shows 100,000+ exposed OpenClaw/Moltbot instances globally (declawed.io) while other scans have reported exposures in the tens of thousands (one public tally cited ~42,900). (elephas.app) Amazon added an official Lightsail blueprint for deploying OpenClaw on March 4, 2026 and the Lightsail announcement states each instance includes “built‑in security controls” and session sandboxing out of the box. (aws.amazon.com) NanoClaw’s maintainers announced a partnership with Docker on March 13, 2026 to run each agent inside disposable MicroVM‑backed Docker Sandboxes (per‑agent containers inside micro VMs with separate kernels) as an isolation-first mitigation strategy. (docker.com)
