If you're running OpenClaw, you probably got hacked in the last week
Posted by NotFunnyVipul@reddit | sysadmin | View on Reddit | 119 comments
CVE-2026-33579 is actively exploitable and hits hard.
What happened: The /pair approve command doesn't check who is approving. So someone with basic pairing access (the lowest permission tier) can approve themselves for admin. That's it. Full instance takeover, no secondary exploit needed. CVSS 8.6 HIGH.
Why this matters right now:
- Patch dropped March 29, NVD listing March 31. Two-day window for the vulns to spread before anyone saw it on NVD
- 135k+ OpenClaw instances are publicly exposed
- 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
The attack is trivial:
- Connect to an unauthenticated OpenClaw instance → get pairing access (no credentials needed)
- Register a fake device asking for operator.admin scope
- Approve your own request with
/pair approve [request-id] - System grants admin because it never checks if you are authorized to grant admin
- You now control the entire instance — all data, all connected services, all credentials
Takes maybe 30 seconds once you know the gap exists.
What you need to do:
- Check your version:
openclaw --version. If it's anything before 2026.3.28, stop what you're doing - Upgrade (one command:
npm install openclaw@2026.3.28) - Run forensics if you've been running vulnerable versions:
- List admin devices:
openclaw devices list --format jsonand look for admins approved by pairing-only users - Check audit logs for
/pair approveevents in the last week - If registration and approval timestamps are seconds apart and approver isn't a known admin = you got hit
steipete@reddit
OpenClaw creator here.
This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the
/pair approveplugin command path still called the same approval function withoutcallerScopes, and the core logic failed open when that parameter was missing.So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use
chat.sendwith/pair approve latestto approve a pending device request asking for broader scopes, includingoperator.admin. In other words: a scope-ceiling bypass from pairing/write-level access to admin.This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach
/pair approvecould hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
p6l-richard@reddit
Thanks for the clarification, I appreciate you responding here directly. It’s very good to know that the practical exposure here is for senders who had gateway permissions as that should be carefully evaluated anyways.
If I understand your comment correctly, the scope ceiling bypass has been fixed. So if you follow these guidelines to harden an OpenClaw setup, one isn’t exposed?
https://docs.openclaw.ai/gateway/security#hardened-baseline-in-60-seconds
Professional-Heat690@reddit
Sorry. You need to rethink your dev approach, it's not working. Do the Internet a favour, admit its not ready and pull the pin.
intelw1zard@reddit
you should be ashamed for creating such an insecure thing and releasing it
walledisney@reddit
Oh yeah prove it
NotFunnyVipul@reddit (OP)
1. Code path:
/pair approvehandler inextensions/device-pair/index.tsnever passescallerScopesto the core approval function insrc/infra/device-pairing.ts. Core function has zero info about who's approving, only validates thatoperator.adminis a valid scope, grants it. No authorization check.2. Proof: Patch commit
e403decb6e20091b5402780a7ccd2085f98aa3cdin 2026.3.28 addscallerScopesto the function signature and enforces that requested scopes are a subset of caller's own scopes. Read the diff yourself, this happens on all instances, auth or not.HenryLoenwind@reddit
TheCyFi@reddit
So… despite your title suggesting that anyone running OpenClaw was probably hacked, your AI Slop post goes on to explain that only 63% of the publicly exposed instances are vulnerable. Lazy, low-effort AI slop.
NotFunnyVipul@reddit (OP)
/pair approvehandler never passescallerScopesto the core approval function, so it grantsoperator.adminwithout checking if the approver holds it. Patch commit e403decb adds callerScopes enforcement. Happens on all instances, auth or not. Read the diff.TheCyFi@reddit
Even then, that's only possible for web exposed instances. Are the majority of Open Claw instances web exposed?
HenryLoenwind@reddit
rofl. Show me any other software where there even are any hurdles when authentication is disabled.
OpenClaw is somewhat unique in that having the master password alone will get you no access at all, as you need approval by an existing session, too.
Soluchyte@reddit
63% is a pretty fair metric for a headline like that. It's not like it's 5%
TheCyFi@reddit
63% of the ones that are web exposed, not 63% of all Open Claw instances.
Soluchyte@reddit
Which makes very little difference? That's still an insanely high number.
TheCyFi@reddit
I didn't suggest that it's a small number or that this CVE isn't worthy of consideration. I suggested that the post was lazy and poorly articulated content coupled with an inaccurate sensationalist title.
Soluchyte@reddit
The title is pretty much the same one I'd come up with, 63% of internet connected instances is a large number and there's no point trying to keep denying that.
Even if only 50% of installs are internet connected, that's still a large number.
TheCyFi@reddit
Then you would also be guilty of using an inaccurate sensationalist title.
It has nothing to do with whether the number of exposed instances is significant. It has to do with the accuracy of the claim.
I’ve got two OpenClaw instances. They are properly isolated and not web-exposed. Seeing a post on r/sysadmin claiming that I was “probably hacked last week” is unhelpful sensationalism.
Soluchyte@reddit
Lol I am clearly wasting my time. Making a big deal of security issues so that they are heard by the maximum amount of ears is a perfectly fair use for sensationalist titles.
NoPossibility4178@reddit
63% is PROBABLY. What are you talking about?
TheCyFi@reddit
63% of the ones that are web exposed, not 63% of all Open Claw instances.
Seigmoraig@reddit
63% means odds are you likely got hacked, title is correct
xfilesvault@reddit
It's 63% of instances that are publicly exposed. It's a filter on a filter.
cybermind@reddit
https://www.shodan.io/search?query=product%3Aopenclaw
There's a lot of publicly exposed instances.
jtstowell@reddit
Don’t…expose the admin interface to the Internet.
Vassago81@reddit
Since we're in the sysadmin safe space, we can say it:
Developers are fucking morons.
Not a single clue on how anything work. No idea about security, firewall, BACKUPS, not running everything as admin, etc.
It keep getting worst, we crossed the event horizon of retardation when dockers became mainstream, and now with AI everything all hope is lost.
OleCuvee@reddit
Fair, but for the same argument I’d say sysadmins are sh8t developers :)
Running openClaw exposed to the internet is a crime against best practices.
On the docker side of the argument ... wait when the unit of computing shrinks from Docker/K8s pod to WASM/WebAssembly... that might make you go crazy...
ZAlternates@reddit
But sysadmins being shit developers (which they actually tend not to be tbh) isn’t a cybersecurity nightmare.
ScreenOk6928@reddit
If sysadmins weren't shit developers they would be developers making 2x the salary, not sysadmins.
Kirk_Kerman@reddit
If it weren't for MBAs everyone else would be making 4x the salary for their specialized expertise, don't do the work of denigrating other professionals (unless they're C-suite).
ScreenOk6928@reddit
Nah, I think it's valid to correct those professing expertise in a field well beyond their scope. Writing PowerShell scripts makes you a developer in the same way using a calculator makes you an accountant (it doesn't).
OleCuvee@reddit
hahaha I love that one "Writing PowerShell scripts make you a developer in the same way using a calculator makes you and accountant (it doesn't).
And yea fock MBAs.
ScreenOk6928@reddit
Who exactly do you think creates all the functionality which makes any these work in the first place?
.... What issue could a sysadmin possibly be taking with Docker of all things? Are you even aware what it is?
NoPossibility4178@reddit
I mean this is like saying that OS exist so devs have to be good at something, not all devs are the same and the vast majority knows their one thing and that's it.
VexingRaven@reddit
Dunno but apparently at least 2 people on this sub get really fired up about it. /u/ZAlternates just blocked me for me it.
rantenki@reddit
If by developers you mean sh!tty AI LLMs, because that whole thing is vibe-coded.
stom@reddit
You can say "shitty" on the internet.
rantenki@reddit
I can. I can also not say it (wasn't sure what the sub's rules were, and didn't care enough to check). Weird thing to down-vote for though.
stom@reddit
Redditors tend to downvote self-censorship.
VexingRaven@reddit
You had me up until Docker.
ZAlternates@reddit
His point about docker is it lowers the barrier of entry for a developer. They no longer have to build some security dev/test environments. They just build using docker on their laptop and push to prod.
Obviously I’m exaggerating, kinda.
VexingRaven@reddit
They didn't before either... But docker significantly lowers the barrier to having a reasonably secure dev environment. Separate containers for dev, build, test, etc. is easy to set up and built right into VS Code.
ZAlternates@reddit
Yes yes you like Docker. We get it.
obstreperous_troll@reddit
Except you're talking about an LLM that processes content coming from the internet, and by design is unable to clearly distinguish data from instructions.
CantaloupeCamper@reddit
Counterpoint:
Drive fast, take chances.
jtstowell@reddit
On a personal level, yes. But that isn’t how you run a civilization. And like it or not, we run our civilization on this toxic sludge that our vendors are pleased to call software. Now that we’re vibing this garbage down another 50 notches, it’s probably time to smoke ‘em if you’ve got ‘em. 😆
NoPossibility4178@reddit
But what if I wanna use it while I'm taking a shit and the local wifi is bad there?
Impossible_IT@reddit
Where you taking a shit to? /s
mirrax@reddit
More importantly, is there an AI workflow to route the shit?
Agentic waste is literally the hottest steaming fad.
napkinolympics@reddit
Use tailscale or similar.
CarelessStarfish@reddit
Laughs in default ElasticSearch
junktech@reddit
This is what confused me about it. That thing can in theory alter itself if it seems apropiate, including exposure to internet. I wouldn't consider running it anywhere near a production network.
threetimesthelimit@reddit
So yet another CVE that requires plainly insecure configuration, and this time on multiple levels. The democratization of the Internet was a mistake
NotFunnyVipul@reddit (OP)
Fair point on defaults, but this one hits even locked-down instances, the
/pair approvecommand doesn't validate who's approving, it's a code path issue not config. This is the sixth pairing vuln in six weeks, same root cause. Check the full blog for the attack chain and why self-hosted operators are in a continuous patch race herejojohohanon@reddit
This seems like the /accept bug on twitter a while ago
EViLTeW@reddit
That's a bit hyperbolic.
This only "hits" locked-down instances if there's an inside threat. If there isn't an insider threat, there's no issue (with this specific CVE).
VersaEnthusiast@reddit
Reminds me of this classic
SevaraB@reddit
If you’re running OpenClaw on anything that can talk east/west to anything besides the Internet, it’s a shame there are no Internet licenses or checkpoints because you should have to surrender yours at the nearest one ASAP.
Total client isolation or don’t bother.
escof@reddit
My boss asked me to setup an openclaw instance for him. First thing I did was build a new DMZ VLAN for it.
TimeRemove@reddit
The problem CLAW agents have is that logically they cannot be made safe no matter what.
Let's assume, just for the sake of argument, someone sets up a new VLAN, firewalled off, on their own hardware. Fully isolated. OK, but now you want to actually use the CLAW agent to do something useful, you need to...
And their usefulness is exactly proportional to how much "stuff" you give it; but also insecurity is exactly proportional to how much "stuff" you give it. So you can give it nothing, while making it safe, or give it everything while making it dangerous.
By their very nature, the idea is "act as me" but create a pipe so this extra "me" can be told what to do; and it will happily do more or less whatever it is told.
PS - And this doesn't even touch on the fact that there is no way to fully prevent instruction-injection, even sub-agents aren't a hard boundary - You can trick subagents into returning instructions to their caller.
escof@reddit
Agreed which is why we don't allow our Open Claw to have access to PII or confidential information. Just using it for API work to 3rd party sites. I won't get into it too much but if that data got stolen it wouldn't matter.
dllhell79@reddit
IMO if you're running any unknown AI product locally, you are insane.
SevaraB@reddit
Exactly. I say client isolation instead of total network isolation only because the actual AI model isn't local. Least privilege access... just enough to test and keep it far, far away from anything else.
CeC-P@reddit
I assumed you just meant by OpenClaw itself when it decided to take a very direct approach to something you told it to do, then gave it access to for some reason.
Big_Booty_Pics@reddit
How is this only an 8.6?
BemusedBengal@reddit
Probably because OpenClaw itself is an 8/10 CVE by design. It's literally malware (by any reasonable understanding of the word) and people are willingly giving it root access.
Nanocephalic@reddit
Openclaw should definitely not be banned, because I love hearing all the stories about people who use it and immediately get owned.
ThatITguy2015@reddit
I need to look into what it is. I keep hearing delicious stories about idiots getting popped, but know nothing about what they use this for.
Blork39@reddit
It basically lets an LLM handle all your emails, messages. It's potentially a powerful idea but implemented with almost no guardrails meaning its also a potential footgun of epic proportions.
Even if it's not hacked or deletes your entire mailbox like it did to that lady at Meta, it won't know that you might not like to discuss the same stuff with your boss as with a competitor, or with your girlfriend as with your parents etc. And of course even if it did it has no way of knowing those are who they say they are.
It's an interesting proof of concept. It's pretty insane to let it loose on your real digital identity.
ThatITguy2015@reddit
Oh god no. Just no. I agree that in a perfectly executed way that understands interactions with the different personas and which people verifiable fit into those persons during interactions, I see some promise.
Knowing current state of most products, especially “AI”-related ones, you get what you ask for when using those. No “S” in “AI”, etc., etc.
UPGRADED_BUTTHOLE@reddit
They should leave this vulnerability in to punish the echoborgs.
Logical-Nightmare@reddit
Darwin award CVE
BERLAUR@reddit
I treat OpenClaw the same way I treat SSH root access. You put it behind multiple layers of security and you make damn sure it's never accessibile by anyone who isn't me.
OpenClaw is pretty cool for what it does but it sure is an insecure, unstable, piece of crap. I can't wait for someone to come up with a decent, stable and secure successor. The sooner we get rid of OpenClaw, the better.
tiffanytrashcan@reddit
I really don't get what it offers that a coding setup and properly configured MCPs don't.
For example, OpenWork, an OpenCode fork/plugin/GUI gives you telegram or chat app access, Scheduled/keepalive pings, on top of internet, search and file system access provided by opencode. You don't even need that. There's plenty of MCP servers to translate a telegram bot.
Projects like Vision-MCP-Manager let your LLM explore and install new ones as needed. (This is bordering on nearly as dangerous as open claw IMO, certainly just as powerful.)
Cswizzy@reddit
It's called Hermes.
Blork39@reddit
That isn't enough. Openclaw can also be exploited through things like prompt injection. And in other ways that don't necessarily give you system access. For example someone can trick it into divulging information through WhatsApp if it's managing that for you.
RegisteredJustToSay@reddit
Check out https://github.com/HKUDS/nanobot. It's python, a lot smaller and isn't a pain in the ass to run in an isolated docker environment. Also supports MCP tools, as a nice little bonus.
I'm not claiming any of these are strictly "safe", I mean you're letting an idiot savant bot run around with proverbial knives, scissors and loaded guns in the end, but I'll settle for easy to configure and restrict.
Le_Vagabond@reddit
you know full well the people using this abomination don't treat it like this.
definitely darwin award CVE.
HighRelevancy@reddit
That's just the way everything should be that you don't specifically need internet access to. Especially with so many flexible VPN tools out there.
mrgrosser@reddit
Hey guys, just chiming in here… seems like all of us are running openclaw on a public IP.. who knew that would be dangerous?!?!? Jeez, not me. Are the people posting this just telling their openclaw instance to post this garbage for clickbait?
harpiaharpyja@reddit
Nice try
Loudergood@reddit
You're right, all our user should have root access to all internal systems.
Falcon_Rogue@reddit
Not sure if you all saw this: https://www.linkedin.com/posts/omarshahine_tldr-new-job-at-microsoft-bringing-openclaw-activity-7444774663504879616-a7Zr
Omar Shahine Microsoft
TL;DR: New Job at Microsoft. Bringing OpenClaw + personal agents to Microsoft 365!
CantaloupeCamper@reddit
I just assumed the moment I did ...
_wbmr_@reddit
I made a decision to never jump on a hype train after seeing how Crypto, NFT, Pre-Orders, Kickstarters etc went...
Some may make a lot of money in any hype, but most of them are losing everything.
OpenClaw has to be the dumbest hype I have ever seen...
Tymanthius@reddit
Where's that guy who was talking about how he just set everything up w/ ssh and other admin creds for a bunch of stuff?
ansibleloop@reddit
What you need to do is not use OpenClaw
For fuck sake during the setup it asks for access to your accounts
Only a moron would do that - you deserve to be owned
LesbianDykeEtc@reddit
Lol, lmao even.
hissen_raii@reddit
Now we need to design a worm that exploits this vuln to upgrade openclaw :P
(semi-serious)
ThePixelHunter@reddit
The FBI is know to do that from time to time.
checkpoint404@reddit
But it's AI, so it's only going to improve your infrastructure.
Bad_Idea_Hat@reddit
A strange coincidence that I've noticed, is in the place of the people who believed crypto would solve every problem, are the people who believe AI will solve every problem.
OfferSilent3938@reddit
It's strange that the people who see the value in verifiable data also see value in the frontier of compute. Coincidence really.
hlloyge@reddit
Now read that in Pointy-Haired Boss's voice.
DavePastry@reddit
Lol I haven't watched that show in god knows how long but I was still able to hear the PHB's voice perfectly reading his comment.
surloc_dalnor@reddit
Missing out on the best CVEs.
VectorB@reddit
Sure am lucky that our infrastructure never gets vulnerabilities!
NotFunnyVipul@reddit (OP)
you're so naive if u think so, best of luck
FarmboyJustice@reddit
Obvious sarcasm
TommyVe@reddit
Read like a half satire. Surely could not be meant seriously, right? Surely.
5redie8@reddit
Come on guys... I was hoping we'd be better than AI generated text posts here :(
New-Potential-7916@reddit
Exactly my thinking. As soon as I saw the "and it hits hard" my eyes just glazed over and I stopped reading.
DeerOnARoof@reddit
Thanks for the heads up! Though I feel if you're running OpenClaw you kinda deserve it.
remghoost7@reddit
I'm fairly against OpenClaw across the board.
The insane astroturfing surrounding the release is suspicious at best.
But if you are going to run it, at least do it properly.
RabidTaquito@reddit
100%. No sympathy from me. In fact, I'll outright laugh at them.
Pilebsa@reddit
I have to assume if you're given OpenClaw access to various credentials, the mothership has now ingested that into the cloud LLM, so at some point in the future, with the right prompting, people will be able to reveal access to your resources.
Jmc_da_boss@reddit
"Fork found in kitchen"
deadnerd51@reddit
Doesn’t this still rely on a poorly configured environment that is publicly exposed? As in, only people too lazy or too uneducated to lock down their environments would be exposed? Sysadmin 101 is don’t trust anything and don’t leave things publicly exposed.
peeinian@reddit
Yeah but it’s gained enough hype that I’ve got random staff with no idea what they are doing trying to set it up with it.
Our MDR detected an SSH attempt from one of our managers laptops in a very non-technical role trying to connect to a personal external VPS he paid for and then set up OpenClaw. He only followed some AI generated walkthrough.
Our firewall doesn’t allow random outbound SHH connections so it was blocked anyway but it really shows how pervasive it can get.
deadnerd51@reddit
But that’s why we are there. To configure things so that those that have no idea what they are doing can’t just try things like this willy nilly. Our firewall blocks most unapproved, unauthorised AI providers, blocks random outbound SSH, blocks most random outbound connections outside of authorised applications, and where possible we use ports different to the typical standard ports. Users are gonna do what users do best, it’s our responsibility to stop them or at least make it very difficult for them to screw things up.
srekkas@reddit
So perfect bot farm?
kerubi@reddit
”If you are running OpenClaw, you probably got hacked” - clearly you have no idea how OpenClaw works. Huge majority of instances are not publicly accessible.
Impossible-Rip8524@reddit
AI Slop post with more AI slop responses by OP. This still needs that a malicous actor is able to pass input into your openclaw instance, which makes most implementations not vulnerable.
GeneralCanada67@reddit
ai post
ImCaffeinated_Chris@reddit
His account is older than yours by miles.
CrowNailCaw@reddit
He still using AI to write his posts though x)
NotFunnyVipul@reddit (OP)
really?
ranthalas@reddit
I mean... it is a post about Ai so technically he's not wrong 😉
roiki11@reddit
The gift that keeps on giving.
Suitable_Ball_2835@reddit
This one's for r/ShittySysadmin