This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
* 135k+ OpenClaw instances are publicly exposed
* 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
Is this accurate? This is definitely a very different picture then the one you paint
What exactly does this mean? You have contracts with these companies? People who work for them contributed sometimes in the past to openclaw repository?
NVIDIA is contributing to the security of OpenClaw via NemoClaw.[0]
Not sure about ByteDance and Tencent.
Most of these larger players are interested in supporting anything that helps grow the ecosystem so broadly.
That user said that they use OpenClaw to scrape city meetings for context so that they can more efficiently participate in local politics. You then attacked them, accusing them of "leaving AI slop comments on public city meetings", which isn't what they said they were doing at all.
I see absolutely no problem in using AI to summarize large quantities of information (such as a collection of city meeting notes). Summarization is one of the places that AI really shines right now, and if it helps people wrap their head around what is happening in their communities, good!
I understand a healthy skepticm of AI. Everyone should have some degree of that. But maybe avoid the urge to publicly shame people for their use of AI, especially on a site like this where that won't be received well. Or, if you're going to offer criticism, show some tact.
> What does Telegram/Discord have to do with anything? The OP never mentioned either of these software suites. In fact the only mention of Telegram anywhere in the entire thread is you copy-pasting this exact message.
I can understand why, but given that OpenClaw has taken over the world, I find the lack of a ShowHN somewhat interesting.
Currently we're at 1.8 CVEs per day since OpenClaw launched!
You say that, but you also say
> I’m not an openclaw user
Your first statement makes the second one rather obvious.
As I said some weeks ago, I've given up pointing out on HN: "Well, you could just not give it your data" only to be repeatedly told (by non-users) that the whole point is to give it all your data.
And the myth continues...
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
However:
> Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
I'd say that it's a given that we live in a world when your LAN is infested with compromised and hostile devices: from phones (spying devices) to home automation (spying chinese webcams) to TVs (with the TV's microphone listening 24/7 to everything people are saying) to chinese routers (which, yup, have backdoors for the chinese state) to that corean soundbar to really whatever enshittied device the world of enshittified turds we live in can come up with.
It is a fact of life that compromised, insecure, backdoored and at times all three of these shall find their way to our homes and appartments...
And it shouldn't be an issue.
What I mean by this: machines could be scanning my local networks and even maybe determine that this box at this IP is running Linux and... It still should be able to do exactly jack fucking shit with that information.
We must all learn to secure our devices for the Internet of Insecure and Enshittified Things is moving forward at godspeed. And if you think OpenClaw on its own device on your LAN is bad, wait until all the companies that were already selling enshittifed devices since years realize they'll now be able to enshittify those even more by slapping OpenClaw (or the equivalent) on their devices.
These insecure turds are all going to get a big boost of insecuredness, this time AI powered.
I'd say: bring it on. I'm ready. We all should be.
If you think you need to give it the keys to your kingdoom to be useful, you are not actually experimenting with this stack but regurgitating the words of others. I really don't understand the mindset of comments like this.
/s
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
I do disagree about unix system were designed for this kind of stuff. Unix was not designed for an agent to act like you and take decision for you...
Putting data and instructions in the same memory was always a bad idea - LLMs just took this to the extreme by making data and instructions the same thing.
Not too much harder is using a VM:
With Apple's open-source container tool, you can spin up a linux container vm in ~100ms. (No docker root)
With Apple virtualization framework, you can run macOS in a VM (with a separate apple id).
Right, these are system accounts. They don't have access to anything except their own home folder and whatever I put in their .bashrc. `sudo` is a pretty easy sandbox by itself and lets me manage their home folders, shell, and environment easily just with the typical Unix-isms. No need for mounting VM disks, persisting disk images, etc.
I don't need virtualization to let Claude Code run. I just let it run as a "claude" user.
Yesterday I did care. Today? Not so much. Welcome climate change, we fully deserve it.
My interpretation is that 135k instances are vulnerable, but of those there's more conditions that need to be met, specifically:
These need to be multi-user systems where there are users with 'basic pairing' privileges. Which I don't think is very common, most instances are single-user.
So way less than the 135k number. I think a more accurate title would have been "If you're running OpenClaw, you are probably vulnerable" but not "you probably got hacked", that's just outright false and there's no evidence that the exposed users were ALL hacked.
Otherwise I would say “you may have been hacked” not “you probably have been hacked”.
If you're running OpenClaw, you probably didn't get hacked in the last week.
Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263
https://github.com/openclaw/openclaw/commit/5643a934799dc523...
A malicious web page runs JavaScript that makes a fetch() or XMLHttpRequest to http://localhost:CLAWPORT — your browser executes that from your machine, so it bypasses your router/firewall entirely. If OpenClaw is listening on localhost with no auth, the browser just connects to it. Same-origin policy doesn’t save you because the request originates from your own machine.
(I’ve never used any of them.)
So you take the output of an LLM, which is obviously impossibly to guarantee correct, and use that to choose a tool and execute it. Like, send an email or whatever. And you take the input for that LLM not only from prompts, and various files, but also your system and random stuff you download from the internet.
I am telling you people, this is lunacy. No good can come of this.
Run it as root it will have root caps, run it as ritcgab it will have ritcgab's caps. Same as every other program.
Or inviting any legal or regulatory scrutiny.
They don’t even read the code in any serious capacity so excuse me for not taking any assessment of the situation from him too seriously. Might as well just ask Claude Code to assess it yourself.
Welcome to the world vibe coding created. The fun is only just beginning.
Hard disagree. Vibe coding isn't responsible for people not doing the slightest due diligence when running this (pardon my French) shit. You can vibe code stuff and keep it at a much higher quality. And you can check who did the vibecoding and how they approached it, so the burden also falls on the person running the stuff to understand what they're running. This isn't an enterprise level application that has a full team behind it that had an issue. This is a pandora's box vibecoded overnight for fun, full of stuff we don't even know about, that was opened the moment you touched it with a stick.
Vibe coding obviously doesn’t make something insecure, per se, but saying it doesn’t reduce the attention paid to any given line of code, or encourage less knowledgeable people to write code, seems pretty dubious to me.
The Claude Code team is clearly competent and professional, yet they accidentally published the proprietary source code for one of the world’s hottest products. That’s like a Bank manager walking away with the keys in the door and alarm disarmed. When’s the last time you heard of a human team of developers doing that?
Again, I’m not saying that vibe coding necessarily creates unsafe code, but I don’t see how anyone could say vibe coding was devoid of security implications. I think this is an organizational/logistical problem that we’ll figure out at some point, but in think it’s going to be more of a C buffer overflow ‘figured out’ that never really goes away.
Steinberger has said he doesn’t look at (most) the code.
Right. It’s always the people. They just tend to bodge things. All the time. So when there’s new foot guns, the inevitable will happen.
Shipping at the speed of inference for real.
But coding is solved? Why do you need those guys if all they do is use claude code? Just have it solve it overnight. You forgot to prompt "make it secure pls"?
My belief, is the people who post this quote thinking it's some big win are the same people who are upset they can't post "stochastic parrot" anymore.
And we all saw how that went.
LLMs are patient, tireless, capable of rigorous opsec, and effectively infinite in number.
This is bad.
It also have mine automatically grabs a spot at my gym when spots are released because I always forget.
I'm just playing with it, it's been fun! It's all on a VM in the cloud and I assume it could get pwned at any time but the blast radius would be small.
seems far more efficient/reliable to get codex/claude code to write and set up a bot that does this.
But he already did this. With a bonus of it will continue to work in the future if something breaks or changes. Human time is more precious than computing resources nowadays.
I think Simon Willison said it best some weeks ago: He's capable of writing a bot like this - both before and after LLMs came on the scene. However, the reality is he never wrote one, despite wanting to many times.
Yet in just 2-3 weeks of using OpenClaw[1], I did this a few times.
Recall a year or so ago in the early days of vibe coding when people kept saying "I don't need AI to write code. It does a crap job and I can do it myself. Who needs LLMs to do it?" - You'd get lots of people countering with "Oh, in a few weeks I've written lots of automations that I'd been thinking about for months/years - that I likely would never have written without AI coding tools".
The key is the lower barrier to producing something. OpenClaw is to using CC to write that bot as using CC was to writing code by hand. I can be doing work, shopping, etc and when an idea pops into my head, I casually send a note to my Claw instance (voice or text) asking it to look into it or try making it. It doesn't do a great job, but the expectations of success are similarly low. But when it does do precisely what you need it to: Oh boy, you're happy that it saved you time, etc.
[1] I no longer run it, for very boring reasons.
The thing where you give it access to all your personal data and whatever I haven't done and wouldn't do.
I think devs are too focused on the technical what did u build with it.
For example. My brother runs a small recruiting agency. Super nontechnical. Out of nowhere he asks me about openclaw. Then with no help, he sets it up and uses it. Still no help, he has all kinds of nonsense hooked up and running blowing through tokens. He is blown away by it and wants to get it for all of his employees. He thinks about it in terms of cost per min running and not in tokens.
This is the sticky gooey value to whatever openclaw is doing.
I say to it: check my pending tasks on Todoist and see if you can tackle on of those by yourself.
It then finds some bugs in a webapp that I took note. I tell it to go for it, but use a new branch and deploy it on a new url. So it clones the repo, fix it, commit, push, deploy, and test. It just messages me afterwards.
This is possible because it has access to my todoist and github and several other services.
Sometimes it toils away for 2+ hours, spawning Claude Code instances, checking its work, testing the code, even using browser automation to make sure everything works the way it is supposed to if it's writing a webapp.
In the end, it consumes like $10-20 worth of tokens and spits out a functional application with everything I asked for.
Claude Code can do this on its own, to an extent, but there's something about getting OpenClaw to iterate through multiple sessions and testing everything to make sure it works the way I described that I really like. It completely offloads the process to the AI, and keeps me mostly out of the loop.
Is the code any good? Probably not. Am I at risk of being exploited by malware? Probably. But I have automated quite a lot of things with the software that OpenClaw builds for me, and I am careful to review the libraries it imports before running the code on any machine with actual access to anything I actually care about.
Personally, anyone using OpenClaw for the "it reads your emails" use case is crazy, because prompt injection is real, and you're basically inviting anyone who knows your email address to take a stab at pwning you, with full access to your personal life. I keep my instances on a VPS, behind a restrictive security group, and only accessible via Tailscale where it has zero access to anything on my tailnet. I only recently gave it its own email account (not mine!), but even then I am skeptical of doing so, and take efforts to prevent it from taking action on any email it receives (e.g., disabling the Heartbeat) because who knows what it'll end up doing. I mostly like that it can email me if I ask it to.
I'd also instantly hit Claude Desktop's rate limits with this I reckon. Since Claw uses APIs, you bypass those limits and can route the messy scraping to cheap models, saving expensive ones for the actual analysis. It also handles Playwright integration and state persistence out of the box so a crash doesn't wipe your progress.
If I'm wrong, I'm open to learning. I'm as new to this as everyone :)
[0] https://itmeetsot.eu/posts/2026-03-27-openclaw_webfetch/
My main takeaway message is: models (even opus4.6) do not follow security "instructions" reliably. In OpenClaw, they added security warnings, tags, random IDs... None of these countermeasures work reliably. Even sandboxing can be escaped (not in the classical sense using vulnerabilities, but using multi-layered prompt injection payload with natural language only)[0]. As soon as untrusted content is injected in the context, do not trust any actions downstream.
...and to laugh a little every time it calls me "commander" or asks "What's the next mission?" or (and this is the best one) it uses the catchphrase I gave it which is "it's probably fine" (and it uses it entirely appropriately...I think there must have been a lot of sarcasm in qwen 3.5's training data)
and I've treated it like it's already been compromised the whole time.
The way I'm seeing folks responsibly use OpenClaw is to install it as a well-regulated governor driving other agents and other tools. It is effectively the big brain orchestrating a larger system.
So for instance, you could have an OpenClaw jail where you-the-human talk to OpenClaw via some channel, and then that directs OpenClaw to put lower-level agents to work.
In some sense it's a bit like Dwarf Fortress or the old Dungeon Keeper game. You declare what you want to have happen and then the imps run off and do it.
[EDIT: I truly down understand sometimes why people downvote things. If you don't like what I'm saying, at least reply with some kind of argument.]
Too much focus on shipping features, not enough attention to stability and security.
As the code base grows exponentially, so does the security vulnerability surface.
[[attacking project creators when they show up to discuss their work is particularly harmful; please don't ever do that here]]
[[[if you posted any of these, we'd appreciate it if you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules from now on]]]
I see you haven't heard of Microsoft...
- "You're absolutely right. One should read and understand their own code. I did, and it looks great"
OpenClaw is probably entering a phase of it's life where prototype-grade YOLO processes (like what the tweet describes) aren't going to cut it anymore. That's not really a criticism, the product's success has over vaulted it's maturity, which is a fortunate problem to have.
Who wants the fame must also take the blame.
Especially if they create a dangerous tool.
All new technology has issues. Figure it out.
Especially if you're spending $3k per month on inference, have the model fix the agent.
I suppose the idea is to wait for someone else to productize it.
Lazy.
