OpenClaw Vulnerability
Product Overview
Product Name: OpenClaw
Type: Open-source AI agent / automation framework
Previous Names: Clawdbot, Moltbot
Primary Function: Runs locally as an autonomous AI assistant capable of executing commands, interacting with messaging platforms, controlling browsers, and automating workflows.
OpenClaw integrates with many external systems such as:
- Messaging platforms (Google Chat, BlueBubbles, Matrix)
- Local sandbox execution environments
- Browser automation tools
- External APIs and plugins
Because OpenClaw has high system privileges and can execute commands on the host machine, vulnerabilities in the framework can lead to:
- Remote code execution
- Data exfiltration
- Browser session hijacking
- Unauthorized command execution
- Full system compromise
Multiple high-severity vulnerabilities were discovered in early 2026 affecting gateway APIs, plugins, authentication logic, and file handling routines.
Vulnerability Summary Table
| CVE | Vulnerability Name | CVSS | Severity | Exploitability | Exploit Availability |
|---|---|---|---|---|---|
| CVE-2026-29613 | BlueBubbles Webhook Authentication Bypass | 8.6 | High | Remote | No public exploit yet |
| CVE-2026-29611 | BlueBubbles Local File Inclusion | 8.8 | High | Remote | PoC possible |
| CVE-2026-29610 | PATH Command Hijacking | 8.1 | High | Local / Authenticated | PoC possible |
| CVE-2026-29609 | Memory Exhaustion DoS | 7.5 | High | Remote | Not public |
| CVE-2026-28485 | Missing Authentication on Browser Endpoint | 8.8 | High | Remote | PoC likely |
| CVE-2026-28482 | Session File Path Traversal | 8.4 | High | Remote | Possible |
| CVE-2026-28479 | SHA-1 Collision in Sandbox Cache | 7.8 | High | Local | Theoretical |
| CVE-2026-28478 | Webhook Flood DoS | 7.5 | High | Remote | Easy |
| CVE-2026-28473 | Authorization Bypass via /approve | 8.6 | High | Authenticated | Possible |
| CVE-2026-28469 | Google Chat Webhook Routing Confusion | 8.2 | High | Remote | Possible |
| CVE-2026-28468 | Unauthenticated Browser Bridge | 8.7 | High | Local | Easy |
| CVE-2026-28465 | Voice Plugin Header Authentication Bypass | 8.1 | High | Remote | Possible |
| CVE-2026-28464 | Timing Side Channel Token Inference | 7.4 | High | Remote | Research stage |
| CVE-2026-28463 | Allowlist Bypass via Shell Expansion | 8.0 | High | Authenticated | Possible |
| CVE-2026-28462 | Browser Control API Path Traversal Write | 8.7 | High | Authenticated | Possible |
| CVE-2026-28459 | Arbitrary File Write | 8.8 | High | Authenticated | Possible |
| CVE-2026-28458 | Unauthenticated WebSocket Browser Relay | 9.0 | High | Remote | Easy |
| CVE-2026-28456 | Dynamic Import Code Execution | 8.6 | High | Authenticated | Possible |
| CVE-2026-28453 | TAR Archive Traversal | 8.1 | High | Remote | Possible |
| CVE-2026-28450 | Nostr Plugin Unauthenticated APIs | 8.5 | High | Remote | Possible |
| CVE-2026-28447 | Plugin Installation Path Traversal | 8.2 | High | Remote | Possible |
Detailed CVE Analysis
CVE-2026-29613
Webhook Authentication Bypass in BlueBubbles Plugin
Vulnerability Description
The BlueBubbles plugin used by OpenClaw accepts webhook requests from iMessage integrations. The authentication mechanism incorrectly trusts the request’s loopback IP address rather than validating forwarded headers when running behind reverse proxies.
An attacker can exploit this by sending a request through a reverse proxy and making it appear as if it originated from localhost, bypassing webhook password validation.
CVSS
8.6 (High)
MITRE ATT&CK Mapping
- T1190 – Exploit Public Facing Application
- T1071 – Application Layer Protocol
How It Could Be Exploited
- Attacker identifies an exposed webhook endpoint.
- Crafts HTTP request with spoofed headers.
- Reverse proxy forwards request to OpenClaw.
- Application trusts the request because it appears from
127.0.0.1. - Attacker injects fake message or command events.
Educational Payload
POST /bluebubbles/webhook HTTP/1.1
Host: victim-server
X-Forwarded-For: 127.0.0.1
Content-Type: application/json{
"event":"message",
"text":"run system command"
}
Detection Methods
Look for:
- Requests with spoofed
X-Forwarded-For - External IPs accessing local-only endpoints
- Abnormal webhook traffic
Detection Rule
if http.request.uri contains "/bluebubbles/webhook"
AND http.header.x_forwarded_for = "127.0.0.1"
AND source_ip NOT IN internal_network
alert
Log Sources
- Reverse proxy logs
- OpenClaw gateway logs
- API gateway logs
- Web application firewall
Patch
Update OpenClaw to version 2026.2.12 or later.
Official patch:
OpenClaw GitHub security update – version 2026.2.12
CVE-2026-29611
Local File Inclusion in BlueBubbles Media Handler
Description
The BlueBubbles integration allows sending media files through a function that accepts a user-supplied file path. The application does not validate whether the path points outside the allowed directory.
Attackers can use this to read sensitive files such as:
/etc/passwd- SSH keys
- configuration files
CVSS
8.8 High
MITRE Mapping
- T1005 – Data from Local System
- T1083 – File and Directory Discovery
Example Payload
{
"mediaPath":"../../../../etc/passwd"
}
Detection
Look for:
- Requests containing
../ - Media paths referencing system directories
- Unexpected file access logs
Example SIEM Rule
index=web_logs
uri="/bluebubbles/media"
AND request_body contains "../"
Log Sources
- Application logs
- File access logs
- OS audit logs
Patch
Upgrade to OpenClaw 2026.2.14 or later.
CVE-2026-29610
Command Hijacking via PATH Manipulation
Description
The sandbox execution mechanism uses shell commands that rely on the system PATH variable. Attackers can manipulate PATH to execute malicious binaries instead of the intended system command.
Attack Scenario
- Attacker uploads malicious binary
- Modifies PATH environment variable
- Application executes command
- Malicious binary runs instead
MITRE Mapping
- T1059 – Command Execution
- T1574 – Hijack Execution Flow
Detection
Monitor:
- PATH modifications
- unexpected binaries in
/tmp - unusual process execution
Example Detection Query
process where parent_process="openclaw"
and executable_path="/tmp/*"
Log Sources
- EDR
- Linux auditd
- container logs
Patch
Update OpenClaw to 2026.1.29 or later.
CVE-2026-28458
Unauthenticated Browser Relay WebSocket
Description
The Browser Relay feature exposes a WebSocket endpoint used for browser automation. The endpoint fails to enforce authentication.
Attackers can connect directly to:
ws://127.0.0.1:18792/cdp
Once connected they can:
- Execute JavaScript in open tabs
- Steal session cookies
- Access authenticated web sessions
MITRE Mapping
- T1185 – Browser Session Hijacking
- T1539 – Steal Web Session Cookie
Example Exploit Script
const ws = new WebSocket("ws://127.0.0.1:18792/cdp");
ws.send(JSON.stringify({
method:"Runtime.evaluate",
expression:"document.cookie"
}));
Detection
Monitor:
- WebSocket connections to local ports
- Browser automation commands
Detection Rule
if destination_port = 18792
AND protocol = websocket
AND source_ip not internal
alert
Log Sources
- Network IDS
- Proxy logs
- Endpoint telemetry
Patch
Upgrade OpenClaw to 2026.2.1 or later.
CVE-2026-28462
Browser Control API Path Traversal Write
Description
Several API endpoints accept file paths for downloaded files and trace outputs. Improper validation allows attackers to write files outside the temporary directory.
Example vulnerable endpoints:
POST /trace/stop
POST /wait/download
POST /download
Attackers can overwrite sensitive files such as:
../../.ssh/authorized_keys
MITRE Mapping
- T1105 – Ingress Tool Transfer
- T1565 – Data Manipulation
Detection
Look for suspicious output paths:
../
/root/
.ssh/
Patch
Upgrade to OpenClaw 2026.2.13 or later.
CVE-2026-28468
Unauthenticated Browser Control Bridge
Description
The sandbox browser bridge exposes browser control functions without requiring authentication.
Attackers can:
- enumerate open browser tabs
- execute JavaScript
- steal cookies
- capture screenshots
MITRE Mapping
- T1056 – Input Capture
- T1185 – Browser Session Hijacking
Detection
Monitor API calls:
/browser/list
/browser/execute
Log Sources
- gateway logs
- sandbox logs
- browser automation logs
Patch
Upgrade to OpenClaw 2026.2.14.
CVE-2026-28456
Dynamic Import Leading to Code Execution
Description
The gateway dynamically imports hook modules using user-controlled configuration values. Because the module path is not properly validated, attackers with configuration access can load arbitrary local modules.
Attack Outcome
- arbitrary JavaScript execution
- persistence through malicious plugins
- system compromise
MITRE Mapping
- T1059 – Script Execution
- T1505 – Server Side Component
Detection
Monitor:
- unexpected module loads
- dynamic imports referencing non-standard paths
Example suspicious path:
../../../tmp/malicious.js
Patch
Upgrade to OpenClaw 2026.2.14.
CVE-2026-28447
Plugin Installation Path Traversal
Description
Plugin installation routines unpack archives without validating directory paths. A crafted plugin archive can include traversal sequences.
Example:
../../../../etc/cron.d/backdoor
When extracted, the attacker can overwrite system files.
MITRE Mapping
- T1105 – File Transfer
- T1547 – Persistence
Example Payload
Malicious TAR entry:
../../../../root/.ssh/authorized_keys
Detection
Look for:
- archive extraction events
- plugin installation logs
- unusual file creation outside plugin directory
Log Sources
- OS file audit
- application logs
- EDR telemetry
Patch
Upgrade OpenClaw to 2026.2.14 or later.
General Detection Recommendations
Organizations using OpenClaw should monitor:
Network Activity
- WebSocket traffic to localhost
- unexpected webhook traffic
- reverse proxy header manipulation
Host Activity
- abnormal command execution
- PATH changes
- unexpected file writes
Application Activity
- plugin installation
- browser automation requests
- webhook events
Security Hardening Recommendations
- Upgrade OpenClaw to latest version immediately
- Disable unused plugins
- Restrict access to local APIs
- Place OpenClaw behind authentication proxy
- Enable network monitoring
- Run OpenClaw inside restricted containers
- Rotate API tokens
