What is the most severe OpenClaw vulnerability from March 2026?

CVE-2026-22172, a critical 9.9 CVSS vulnerability in WebSocket shared-auth scope elevation. Attackers with valid shared-token credentials can self-declare administrative scopes during the WebSocket handshake. The server trusts client-declared scopes without validation, granting full admin access from a low-privilege session. Patched in v2026.3.12.

Does TryOpenClaw.ai patch these vulnerabilities automatically?

Yes. TryOpenClaw.ai applies security patches same-day. You don't need to track CVE disclosures, read security advisories, or manually update your instance.

9 OpenClaw CVEs in 4 days: the March 2026 security breakdown

Q: How many CVEs were disclosed for OpenClaw in March 2026?

At least 9 CVEs were publicly disclosed between March 18 and March 21, 2026. Scores ranged from 5.9 (medium) to 9.9 (critical). The broader OpenClaw CVE tracker shows 156 total advisories tracked as of March 21, with 128 still awaiting CVE assignment.

Q: What OpenClaw versions do I need to be safe from March 2026 CVEs?

You need at least v2026.3.12 to be patched against all 9 CVEs disclosed between March 18-21. The patches were spread across versions 2026.2.19, 2026.2.22, 2026.2.25, 2026.3.1, and 2026.3.12. Running anything older than 2026.3.12 leaves you exposed to at least some of these vulnerabilities.

By Linas Valiukas · March 21, 2026

Between March 18 and March 21, 2026, nine CVEs were publicly disclosed for OpenClaw. Four days. Nine vulnerabilities. One scored a 9.9 out of 10.

We wrote last week about the update treadmill and how hard it is to keep a self-hosted instance current. That post covered the breakneck release pace. This one covers what happens when you fall behind.

Every CVE, explained

These aren't theoretical. Each vulnerability has a public GitHub Security Advisory with enough detail for a competent attacker to reproduce it. Sorted by disclosure date, then severity.

CVE	CVSS	Date	What it does	Patched in
CVE-2026-22171	8.2 High	Mar 18	Path traversal in Feishu media download. Arbitrary file write.	2026.2.19
CVE-2026-28460	5.9 Medium	Mar 19	Allowlist bypass via shell line-continuation. Command injection.	2026.2.22
CVE-2026-29607	6.4 Medium	Mar 19	Allow-always wrapper bypass. Approve a safe command, swap the payload later. RCE.	2026.2.22
CVE-2026-32032	7.0 High	Mar 19	Untrusted SHELL env variable. Arbitrary shell execution on shared hosts.	2026.2.22
CVE-2026-32025	7.5 High	Mar 19	WebSocket brute-force. No rate limiting. Full session hijack from a browser tab.	2026.2.25
CVE-2026-22172	9.9 Critical	Mar 20	WebSocket scope self-declaration. Low-priv user becomes full admin. No exploit needed.	2026.3.12
CVE-2026-32048	7.5 High	Mar 21	Sandbox escape. Sandboxed sessions spawn unsandboxed children.	2026.3.1
CVE-2026-32049	7.5 High	Mar 21	Oversized media payload DoS. No auth needed. Crash the service remotely.	2026.2.22
CVE-2026-32051	8.8 High	Mar 21	Privilege escalation. operator.write scope reaches owner-only surfaces.	2026.3.1

Six high-severity. Two medium. One critical. And these are just the ones that got CVE numbers this week. The OpenClaw CVE tracker on GitHub shows 156 total advisories tracked as of today, with 128 still waiting for CVE assignment.

The worst one: CVE-2026-22172

A 9.9 CVSS score means it's about as bad as a vulnerability gets. Here's what it does.

When you connect to OpenClaw's gateway via WebSocket using shared-token or password auth, the server lets the client declare its own scopes during the handshake. You log in as a regular user. You tell the server "I'm operator.admin." The server says "okay." Full administrative access. Gateway operations. Cron management. Everything.

No exploit toolkit needed. No buffer overflow. No race condition. You just... ask. The server trusts you. TheHackerWire's writeup described it as a "self-declaration" vulnerability — which is a polite way of saying the authorization check wasn't there.

Patched in v2026.3.12 (March 13). If you're running anything older, any authenticated user on your instance is one WebSocket message away from being an admin.

The browser attack: CVE-2026-32025

This one was found by Oasis Security and they called it "ClawJacked." It's clever and unsettling.

OpenClaw's gateway has no rate limiting on authentication attempts from localhost. That sounds fine until you remember that browsers can open WebSocket connections to localhost. A malicious website you visit can connect to your local OpenClaw gateway and brute-force the password at hundreds of attempts per second. Once in, localhost connections auto-approve device pairing without prompting you. Full session access. Your agent compromised because you opened the wrong browser tab.

Oasis reported it and OpenClaw patched it within 24 hours. Good response time. But the vulnerability existed in every prior version.

The sandbox that isn't: CVE-2026-32048

OpenClaw has a sandbox mode. You'd expect a sandboxed session to stay sandboxed. It doesn't.

When a sandboxed session spawns a child process through sessions_spawn, OpenClaw fails to inherit the sandbox restrictions. The child runs with sandbox.mode: off. A compromised sandboxed agent can escape confinement entirely. At that point, arbitrary code execution, data access, and DoS are all on the table.

This is particularly bad because the sandbox is one of the features people point to when arguing that OpenClaw is safe enough to run on their own. NVIDIA built NemoClaw specifically to add better sandboxing. Turns out the existing sandbox had a hole you could drive a truck through.

The allow-always trick: CVE-2026-29607

OpenClaw has an "allow always" feature for commands you trust. Approve system.run once, and it won't ask again. The problem: the allowlist persisted at the wrapper level, not the inner command level. An attacker could get you to approve a safe-looking wrapped command, then swap the inner payload to something malicious. The approval still applies. Remote code execution without re-prompting.

Same ballpark as CVE-2026-28460, which bypassed the command allowlist entirely using shell line-continuation characters. Two different ways past the same security boundary, disclosed on the same day.

The patch gap problem

Here's the timing detail that makes this worse. Several of these patches were released weeks before the CVEs were published. Version 2026.2.22, which fixes five of the nine CVEs, shipped around February 22. The CVEs referencing it weren't published until March 19-21.

That's good practice from the OpenClaw team: fix the bug, ship the patch, then disclose. But it only works if people update. Most self-hosters don't follow upstream releases daily. They wait for news to reach them. The CVE publication is when awareness spreads. That creates a window where the patch exists but almost nobody has applied it.

How big is that window? Industry research suggests self-hosters take 1-4 weeks to apply non-critical patches. For the March 19 disclosures, that means many instances were exposed for a month after the fix was available. Some still are right now.

156 advisories and counting

These nine CVEs aren't an anomaly. They're part of a pattern.

The jgamblin/OpenClawCVEs tracker on GitHub lists 156 total security advisories. 28 have published CVE numbers. 128 are still in the queue. Earlier this month, Belgium's Centre for Cybersecurity issued a "Patch Immediately" advisory covering 7 CVEs in the Nextcloud Talk plugin alone, all scoring 9.2-9.4.

The enterprise security establishment has taken notice. Trend Micro published "CISOs in a Pinch: A Security Analysis of OpenClaw," calling it root-access-equivalent with probabilistic-model risk. Cisco called it "a security nightmare." Microsoft's security team recommended treating OpenClaw as untrusted code requiring full VM isolation. SecurityScorecard's STRIKE team found 135,000 exposed instances, with 15,000 directly vulnerable to RCE.

None of these are fringe researchers looking for attention. These are the companies that run enterprise security for Fortune 500s. When all of them are saying the same thing, it's worth listening.

What self-hosters need to do right now

If you're running a self-hosted OpenClaw instance, here's the minimum:

Check your version. Run docker inspect or check the dashboard footer. If you're below v2026.3.12, you're exposed to at least some of these CVEs.
Update to v2026.3.13 or later. This covers all nine CVEs listed above. Read the changelog carefully — there are breaking changes between 2026.2.x and 2026.3.x that require config adjustments.
Verify auth is enabled. 30,000+ instances are running without authentication. If yours is one of them, updating alone isn't enough.
Don't expose the gateway to the public internet. If you must, put it behind a reverse proxy with rate limiting. CVE-2026-32025 showed that even localhost exposure can be exploited through a browser.
Check sandbox configuration. If you're relying on OpenClaw's sandbox for security isolation, CVE-2026-32048 means you need to verify that child processes inherit sandbox restrictions in your version.

This is the trade-off

OpenClaw is powerful software. We built our business on it. But "powerful" and "safe to run unsupervised" are different things.

Self-hosting means you're the security team. You're tracking CVE disclosures. You're reading GitHub Security Advisories. You're applying patches within hours of disclosure, not weeks. You're verifying that sandbox boundaries actually hold. You're monitoring for the 128 advisories that don't even have CVE numbers yet. That's a full-time awareness job bolted onto whatever you were actually trying to do with the agent.

On TryOpenClaw.ai, security patches ship same-day. We monitor upstream advisories, test patches before rollout, and handle the entire update cycle. Auth is always on. The gateway is never exposed. Sandbox configuration is managed. You don't need to know what CVE-2026-22172 is, because by the time it was published, your instance was already patched.

Managed hosting starts at $39/month. That's cheaper than the engineering time for a single security incident response.

Frequently asked questions

How many CVEs were disclosed for OpenClaw in March 2026?

At least nine between March 18 and 21 alone. Belgium's CERT also issued a "Patch Immediately" advisory on March 6 covering seven additional CVEs in the Nextcloud Talk plugin. The broader CVE tracker shows 156 total advisories, with 128 awaiting assignment.

What version of OpenClaw do I need?

At minimum v2026.3.12 to cover all nine CVEs from this week. The latest stable is v2026.3.13. Patches were spread across versions 2026.2.19, 2026.2.22, 2026.2.25, 2026.3.1, and 2026.3.12 — running the latest covers all of them.

Are any of these being actively exploited?

No public proof-of-concept exploits have been published for any of the nine CVEs as of March 21. However, the GitHub Security Advisories contain enough technical detail for reproduction, and SecurityScorecard has already identified 15,000+ instances vulnerable to related RCE flaws. The window between disclosure and exploitation is typically short.

Does TryOpenClaw.ai patch these automatically?

Yes. Security patches are applied same-day. We test for breaking changes before rollout. You don't need to track CVEs, read advisories, or update anything manually.

Linas Valiukas

Software engineer and founder of TryOpenClaw.ai. Been writing code since age 14.

Try it right now

This is just one example — OpenClaw adapts to whatever you need. Describe any workflow in plain language and it figures out the rest. Pay $1 for a full 24-hour trial, pick your messaging app, and start chatting with your own instance in under 60 seconds. Love it? $39/mo. Not for you? Walk away — we delete everything.

Try OpenClaw for $1

24h full access. No commitment. Cancel anytime.