Critical OpenClaw Security Vulnerabilities Patched in 2026.3.28
Critical Security Issues in OpenClaw Core
Ant AI Security Lab identified 33 vulnerabilities in OpenClaw's framework, with 8 critical issues patched in the 2026.3.28 release. These vulnerabilities expose fundamental trust boundary problems in how agents are deployed.
Specific Vulnerabilities and Their Impact
Sandbox Isolation Bypass
In versions ≤2026.3.24, the message tool accepts mediaUrl and fileUrl aliases that bypass sandbox validation. This allows agents constrained to a sandbox to read arbitrary local files through these alias parameters, rendering isolation ineffective.
Privilege Escalation via Device Pairing
The /pair approve command path was calling device approval without forwarding caller scopes into the core check. This means users with basic pairing privileges could approve pending device requests asking for broader scopes, including full admin access, effectively granting themselves permissions they don't have.
Token Revocation Ineffectiveness
When tokens are revoked for suspected compromised devices, the gateway only updates stored credentials without disconnecting already-authenticated WebSocket sessions. Revoked devices can continue using live sessions until connections naturally drop.
SSRF Vulnerability in Image Provider
When using the fal provider for image generation, it uses raw fetches for both API traffic and image downloads, skipping the SSRF-guarded fetch path. This allows malicious relays to force the gateway to fetch internal URLs and expose internal service responses through the image pipeline.
Allowlist Degradation
Route-level group allowlists for platforms like Google Chat or Zalo were silently downgrading from allowlist to open instead of preserving group policies. This allows any member of the allowlisted space to interact with the bot, ignoring sender-level restrictions.
Immediate Actions Required
- Check your OpenClaw version. If it's ≤2026.3.24, update to 2026.3.28 immediately.
- Review pairing logs for any unexpected admin grants.
- If you recently revoked a token, force-restart your gateway to kill lingering WebSocket sessions.
The Ant AI Security Lab audit reveals that while much attention focuses on LLM security risks like prompt injection, the framework's own parameter validation and trust boundaries present critical vulnerabilities. All 8 advisories from the audit are publicly available on the OpenClaw GitHub security tab.
📖 Read the full source: r/openclaw
👀 See Also
Claude Code Continues Logging Sessions After Revoke, User Reports 2-Week Support Silence
A Claude Code user reports that session logs continued appearing after revoking access, with Anthropic support unresponsive for two weeks. Logs included scopes like user:file_upload, user:ccr_inference, and user:sessions:claude_code.
Local Model Prompt Injection Scanner for AI Skills Security
A proof-of-concept tool scans third-party AI skills for hidden bash command injections using a local non-tool-calling model like mistral-small:latest on Ollama, addressing security vulnerabilities in Claude Code's ! operator feature.
Security Alert: Malicious Code in LiteLLM May Steal API Keys
A critical security vulnerability has been identified in LiteLLM that could expose API keys. Users of OpenClaw or nanobot may be affected and should check the GitHub issues linked in the source.
OpenClaw Security Breach: 42,000 Instances Exposed
OpenClaw experienced a significant security failure exposing 42,000 instances with 341 malicious skills. The rapid response involved creating AgentVault, a security proxy.