If you are running OpenClaw prior to v0.9.4 with any network-accessible interface, you are vulnerable. Update immediately. Exploitation in the wild confirmed as of March 18, 2026.
The Vulnerability at a Glance
| CVE ID | CVE-2026-25253 |
| CVSS Score | 9.8 (Critical) |
| Affected Versions | OpenClaw < 0.9.4 |
| Patch Version | OpenClaw 0.9.4 and later |
| Exploit Type | Unauthenticated Remote Code Execution |
| Attack Vector | Network (no authentication required) |
| Disclosed By | Independent security researcher via OpenClaw GitHub |
| Public Exploit | Yes — PoC published March 18, 2026 |
CVE-2026-25253 is a pre-authentication remote code execution vulnerability in OpenClaw's built-in WebSocket API server. The vulnerability exists in how OpenClaw processes incoming skill_invoke messages before verifying the caller's session token.
An attacker with network access to an OpenClaw instance — including instances exposed to the internet — can send a specially crafted WebSocket message that causes OpenClaw to execute arbitrary shell commands with the permissions of the user running the OpenClaw process. No credentials are required.
Root Cause: Authentication Bypass in the WebSocket Handler
OpenClaw's WebSocket API server handles incoming connections on port 7331 by default. The authentication middleware is supposed to validate a session token before allowing skill invocations. The vulnerability is a classic authentication bypass: the skill_invoke message type was mistakenly excluded from the authentication check in a refactor introduced in OpenClaw v0.7.2.
This means any client — regardless of whether they have a valid session token — can invoke skills, including shell-execution skills like system.exec and browser.evaluate_js.
OpenClaw's WebSocket server binds to 0.0.0.0:7331 by default — not localhost. This means any OpenClaw installation without a firewall rule blocking port 7331 is potentially accessible from the network.
Who Is Affected?
All OpenClaw installations running version 0.9.3 or earlier with the WebSocket API server enabled (the default) are vulnerable. A Shodan scan conducted by the ClawConsult research team found:
- 17,543 OpenClaw instances publicly accessible on the internet
- 14,891 of those (84.9%) running a version prior to 0.9.4
- The majority in the US (38%), Germany (14%), and Singapore (9%)
- A significant number running in enterprise cloud environments (AWS, GCP, Azure)
If your OpenClaw instance is behind a firewall with port 7331 blocked from external access, your risk is significantly lower — but the vulnerability still exists and could be exploited by an attacker with internal network access.
What Can an Attacker Do?
A successful exploitation of CVE-2026-25253 gives an attacker the same capabilities as the OpenClaw runtime itself, which typically includes:
- Full shell access on the host machine
- Access to all files readable by the OpenClaw process user
- Access to any API keys or credentials configured in OpenClaw's settings
- Ability to use installed skills (browser control, file system access, external API calls)
- Lateral movement if the machine has access to internal network resources
The public proof-of-concept released on March 18, 2026 demonstrates full shell access in under 2 seconds from a single WebSocket message.
How to Patch
OpenClaw 0.9.4 was released on March 17, 2026 and fixes CVE-2026-25253. Update immediately.
Option 1: Update OpenClaw (Recommended)
# If installed via pip
pip install --upgrade openclaw
# If installed via npm
npm update -g openclaw
# If running via Docker
docker pull openclaw/openclaw:latest
docker stop openclaw && docker rm openclaw
docker run -d --name openclaw openclaw/openclaw:latest
# Verify patched version
openclaw --version # Should show 0.9.4 or laterOption 2: Temporary Mitigation (If Immediate Update Is Not Possible)
If you cannot update immediately, restrict access to the WebSocket API server:
# Block external access to OpenClaw WebSocket port (Linux/iptables)
iptables -A INPUT -p tcp --dport 7331 -s 127.0.0.1 -j ACCEPT
iptables -A INPUT -p tcp --dport 7331 -j DROP
# Or in OpenClaw config, bind to localhost only
# In ~/.openclaw/config.json:
{
"api": {
"host": "127.0.0.1",
"port": 7331
}
}Note: The config change requires a restart of OpenClaw and only works if you are running OpenClaw locally and accessing it from the same machine. If you've deployed OpenClaw on a remote server accessed via the network, update to 0.9.4 immediately.
NemoClaw Users: You Are Protected
Organizations running NemoClaw — NVIDIA's enterprise security wrapper for OpenClaw — are not vulnerable to CVE-2026-25253 in most configurations. NemoClaw wraps the OpenClaw WebSocket API behind its own authenticated proxy and, in default configurations, disables direct WebSocket access entirely.
If you are running NemoClaw in an air-gapped or enterprise configuration, verify that direct_api_access is set to false in your NemoClaw policy file. If this value is true, update OpenClaw to 0.9.4 regardless.
Timeline
- March 12, 2026 — Vulnerability reported to OpenClaw maintainers via GitHub Security Advisories
- March 17, 2026 — OpenClaw 0.9.4 released with fix
- March 18, 2026 — Public proof-of-concept published; exploitation in the wild observed
- March 19, 2026 — CVE identifier assigned (CVE-2026-25253)
Need Help Patching?
If your organization has a complex OpenClaw deployment or needs assistance verifying that all instances are patched and hardened, the ClawConsult team offers emergency security audits typically completed within 24–48 hours. Our consultants have patched hundreds of OpenClaw installations and can work alongside your engineering team.
View our Security Audit pricing → or contact us directly for urgent engagements.