Openclaw Security Collapse: CVE-2026-25253 Allows Full Administrative Hijacking of AI Agents

Openclaw Security Collapse: CVE-2026-25253 Allows Full Administrative Hijacking of AI Agents

N
News Editor 01
2026-07-09 20:00:13
A Certik study reveals systemic security failures in Openclaw, exposing over 135,000 instances, a critical CVE for total admin takeover, and malware-laden extensions that threaten user data and crypto wallets.
OpenclawCertiksecurity vulnerabilityCVE-2026-25253AI security

A March 31 study by Web3 security firm Certik has pulled back the curtain on a systemic collapse of security boundaries within Openclaw, an open-source artificial intelligence platform. Despite its rapid ascent to more than 300,000 GitHub stars, the framework has accumulated more than 100 CVEs and 280 security advisories in just four months, creating what researchers call an “unbounded” attack surface.

Core Vulnerability: CVE-2026-25253

The report highlights the critical vulnerability CVE-2026-25253, which allows attackers to seize full administrative control. By tricking a user into clicking a single malicious link, hackers can steal authentication tokens and hijack the AI agent completely, gaining the same privileges as a legitimate administrator.

Massive Internet Exposure

Global scans revealed more than 135,000 internet-exposed Openclaw instances across 82 countries. Many of these had authentication disabled by default, leaking API keys, chat histories and sensitive credentials in plaintext. The report also asserts that the platform’s repository for user-shared “skills” has been infiltrated by malware, with hundreds of extensions bundling infostealers designed to siphon saved passwords and cryptocurrency wallet data.

Prompt Injection Threats

Attackers are now hiding malicious instructions within emails and webpages. When the AI agent processes these documents, it can be forced to exfiltrate files or execute unauthorized commands without the user’s knowledge. “Openclaw has become a case study in what happens when large language models stop being isolated chat systems and start acting inside real environments. It aggregates classic software defects into a runtime with high delegated authority, making the blast radius of any single bug massive,” noted a lead auditor from Penligent.

Mitigation and Safety Recommendations

Experts urge a security-first approach. Developers should establish formal threat models from day one, enforce strict sandbox isolation, and ensure AI-spawned subprocesses inherit only low-privilege, immutable permissions. Enterprise users should deploy EDR tools to locate unauthorized Openclaw installations, while individual users are encouraged to run the tool exclusively in a sandboxed environment with no access to production data. Most importantly, users must update to version 2026.1.29 or later to patch known remote code execution (RCE) flaws.

Although developers recently partnered with VirusTotal to scan uploaded skills, Certik researchers warn this is “no silver bullet.” Until the platform reaches a more stable security phase, the industry consensus is to treat the software as inherently untrusted.

This article was originally published by Bit.Fan. For more cryptocurrency news and market insights, visit www.bit.fan.
300

Disclaimer:

The market information, project data, and third-party content displayed on this platform are for industry information sharing only and do not constitute any form of investment advice or return commitment.

Cryptocurrency trading carries high risks. Users should fully assess their risk tolerance and make independent decisions. All profits, losses, and legal responsibilities are borne by the users themselves.