OpenClaw security patches fix QR code credential exposure and plugin auto-load vulnerabilities
Two critical security vulnerabilities patched in OpenClaw
OpenClaw has released two security patches addressing serious vulnerabilities in the platform. The patches were released in version 2026.3.12 and follow another security issue (GHSA-5wcw-8jjv-m286) that was patched the previous day.
QR code pairing vulnerability
The QR code pairing system used to set up new devices was embedding permanent gateway credentials directly in the QR code with no expiry. This meant that anyone who captured a screenshot of the QR code would gain permanent access to everything the agent could do. The vulnerability was fixed in v2026.3.12, which now uses temporary codes instead.
If you've ever shared your setup QR code anywhere (Discord, Reddit, Twitter, Facebook, etc.), you should rotate your gateway token immediately.
Plugin auto-load vulnerability
The second vulnerability involved workspace plugins automatically loading and running when a repository was cloned. The system would execute plugins without asking for user confirmation or checking if the source was trusted. This has also been fixed in v2026.3.12.
Exposure statistics
According to SecurityScorecard data from last week, there are over 40,000 OpenClaw instances exposed on the open internet. Of these, approximately 12,000 were exploitable via remote code execution (RCE) vulnerabilities. The actual number is likely higher now.
If you're running OpenClaw, you should update to the latest version immediately to address these security issues.
📖 Read the full source: r/openclaw
👀 See Also
AWS reports AI-augmented attack compromised 600+ FortiGate firewalls
Cybercriminals used off-the-shelf generative AI tools to compromise over 600 internet-exposed FortiGate firewalls across 55 countries in a month-long campaign, according to AWS. The attackers scanned for exposed management interfaces, tried weak credentials, and used AI to generate attack playbooks and scripts.
MCP Package Security Scan Reveals Widespread Destructive Capabilities Without Confirmation
A security scan of 2,386 MCP packages on npm found 63.5% expose destructive operations like file deletion and database drops without requiring human confirmation. The researcher discovered 49% had security issues overall, with 402 critical and 240 high severity vulnerabilities.
Proxy-layer isolation for local agent API key security
A developer shares an approach to API key isolation in local agent setups using a Rust proxy that swaps placeholder tokens for real credentials, preventing exposure in agent memory, logs, context windows, and tool environments.
Endo Familiar: Object-Capability Sandbox for AI Agents
Endo Familiar implements object-capability security for AI agents: agents start with zero ambient authority, receive only explicit references to specific files or directories, and can derive narrower capabilities in sandboxed code.