OpenClaw Security Vulnerabilities: Critical Framework Flaws Patched in 2026.3.28

Critical Security Vulnerabilities in OpenClaw Framework

Ant AI Security Lab conducted a 3-day audit of OpenClaw's core framework and submitted 33 vulnerability reports. Eight of these vulnerabilities were patched in the 2026.3.28 release, revealing significant architectural security issues beyond the commonly discussed prompt injection and malicious skill risks.

Specific Vulnerabilities Identified

• Sandbox Bypass via Tool Parameters: In versions <= 2026.3.24, the message tool accepts mediaUrl and fileUrl aliases that bypass sandbox validation. This allows agents constrained to a sandbox to read arbitrary local files through these alias parameters, effectively breaking isolation.
• Privilege Escalation via Device Pairing: The /pair approve command path was calling device approval without forwarding caller scopes into the core check. Users with basic pairing privileges could approve pending device requests asking for broader scopes, including full admin access, granting themselves permissions they don't have.
• Session Persistence After Token Revocation: When tokens are revoked, the gateway only updates stored credentials without disconnecting already-authenticated WebSocket sessions. Revoked devices can continue using their live sessions until connections naturally drop.
• SSRF Vulnerability in Image Provider: The fal provider for image generation uses raw fetches for both API traffic and image downloads, skipping SSRF-guarded fetch paths. Malicious relays could force the gateway to fetch internal URLs and expose internal service responses through the image pipeline.
• Allowlist Degradation: Route-level group allowlists (e.g., for Google Chat or Zalo) were silently downgrading from allowlist to open instead of preserving group policies. Any member of the allowlisted space could interact with the bot, ignoring sender-level restrictions.

Immediate Actions Required

• Check your OpenClaw version. If it's < 2026.3.28, update immediately.
• Review pairing logs for any unexpected admin grants.
• If you recently revoked a token, force-restart your gateway to kill lingering WebSocket sessions.

The Ant AI Security Lab audit highlights that while much attention focuses on LLM behavior, the underlying framework's trust boundaries and parameter validation are equally critical for security. All 8 advisories from the audit are publicly available on the OpenClaw GitHub security tab.