OpenClaw security patches fix QR code credential exposure and plugin auto-load vulnerabilities
Two critical security vulnerabilities patched in OpenClaw
OpenClaw has released two security patches addressing serious vulnerabilities in the platform. The patches were released in version 2026.3.12 and follow another security issue (GHSA-5wcw-8jjv-m286) that was patched the previous day.
QR code pairing vulnerability
The QR code pairing system used to set up new devices was embedding permanent gateway credentials directly in the QR code with no expiry. This meant that anyone who captured a screenshot of the QR code would gain permanent access to everything the agent could do. The vulnerability was fixed in v2026.3.12, which now uses temporary codes instead.
If you've ever shared your setup QR code anywhere (Discord, Reddit, Twitter, Facebook, etc.), you should rotate your gateway token immediately.
Plugin auto-load vulnerability
The second vulnerability involved workspace plugins automatically loading and running when a repository was cloned. The system would execute plugins without asking for user confirmation or checking if the source was trusted. This has also been fixed in v2026.3.12.
Exposure statistics
According to SecurityScorecard data from last week, there are over 40,000 OpenClaw instances exposed on the open internet. Of these, approximately 12,000 were exploitable via remote code execution (RCE) vulnerabilities. The actual number is likely higher now.
If you're running OpenClaw, you should update to the latest version immediately to address these security issues.
📖 Read the full source: r/openclaw
👀 See Also
Security Audit Experiment Shows AI Agent Performance Depends on Knowledge Access
A developer ran three security audits on the same Next.js codebase using different AI approaches: Claude Code's built-in review found 1 critical, 6 high, 13 medium issues; an AI agent without extra context found 1 critical, 5 high, 14 medium; an AI agent with 10 professional security books found 8 critical, 9 high, 10 medium issues.
Open-source playground for red-teaming AI agents with published exploits
Fabraix has open-sourced a live environment to stress-test AI agent defenses through adversarial challenges. Each challenge deploys a live agent with real tools and published system prompts, with winning conversation transcripts and guardrail logs documented publicly.
OpenClaw Security Hardening: Multi-Layered Protection Against Autonomous Agent Risks
A developer modified OpenClaw's codebase to add a multi-layered security stack including a hard-deny regex guard, recursive de-obfuscator, AppArmor profile, and audit integration to prevent destructive commands and data exfiltration by autonomous agents.
Sandboxing AI Agents with WebAssembly: Zero Authority by Default
Cosmonic argues that traditional sandboxing (seccomp, bubblewrap) fails for AI agents due to ambient authority. WebAssembly's capability-based model grants zero authority by default, requiring explicit imports for filesystem, network, or credentials.