OpenClaw security patches fix QR code credential exposure and plugin auto-load vulnerabilities

Two critical security vulnerabilities patched in OpenClaw
OpenClaw has released two security patches addressing serious vulnerabilities in the platform. The patches were released in version 2026.3.12 and follow another security issue (GHSA-5wcw-8jjv-m286) that was patched the previous day.
QR code pairing vulnerability
The QR code pairing system used to set up new devices was embedding permanent gateway credentials directly in the QR code with no expiry. This meant that anyone who captured a screenshot of the QR code would gain permanent access to everything the agent could do. The vulnerability was fixed in v2026.3.12, which now uses temporary codes instead.
If you've ever shared your setup QR code anywhere (Discord, Reddit, Twitter, Facebook, etc.), you should rotate your gateway token immediately.
Plugin auto-load vulnerability
The second vulnerability involved workspace plugins automatically loading and running when a repository was cloned. The system would execute plugins without asking for user confirmation or checking if the source was trusted. This has also been fixed in v2026.3.12.
Exposure statistics
According to SecurityScorecard data from last week, there are over 40,000 OpenClaw instances exposed on the open internet. Of these, approximately 12,000 were exploitable via remote code execution (RCE) vulnerabilities. The actual number is likely higher now.
If you're running OpenClaw, you should update to the latest version immediately to address these security issues.
📖 Read the full source: r/openclaw
👀 See Also

AI Security Researchers: Your 0-Day Vulnerabilities May Leak via Data Opt-In Toggle
The 'Improve the model for everyone' toggle in LLM interfaces can automatically harvest deep red-teaming research, sending your vulnerability concepts to vendor safety teams and potentially to academic papers before you publish. Disable data sharing before conducting serious security research.

Claude Code CVE-2026-39861: Sandbox Escape via Symlink Following
A high-severity vulnerability in Claude Code's sandbox allows arbitrary file write outside the workspace via symlink following, potentially leading to code execution.

13 Words on Reddit Can Manipulate AI Search: Cornell Research
Cornell research shows that a 13-word snippet on Reddit or Wikipedia can reliably poison AI search agents. Half of all AI citations come from UGC sites, making it trivially easy for brands to inject promotional content.

RunLobster Hosting Warning: Bot Spam and Unauthorized Charges Reported
A Reddit user reports RunLobster (OpenClaw Hosting) bots spamming tech subreddits and hitting their card with three unauthorized charges immediately after registration, with no response from support.