By ByteBot
OpenClaw published 13 critical security fixes on April 9-10, 2026, including a CVSS 8.7 privilege escalation flaw (CVE-2026-35639) and a CVSS 8.4 arbitrary code execution vulnerability (CVE-2026-35641). This marks the largest single CVE disclosure in the project’s history, arriving after 138 total vulnerabilities were documented in just 63 days—roughly 2.2 new CVEs per day. The security crisis hits as OpenClaw became GitHub’s most-starred software project with 346,000 stars, beating React’s 10-year record in 60 days. Now 135,000 exposed instances across 82 countries face critical vulnerabilities, with 63% running without any authentication.
The April Security Patch Exposes Fundamental Flaws
CVE-2026-35639, the most severe vulnerability in the April batch, allowed attackers with any valid token—even limited-scope credentials—to submit a pairing approval request and receive operator-level session access. The flaw lives in OpenClaw’s device.pair.approve handler, which fails to validate that the requesting token actually holds the device.pair scope before granting escalated privileges. Meanwhile, CVE-2026-35641 enabled direct remote code execution on unauthenticated instances with no credentials required. Both vulnerabilities are remotely exploitable, and every instance running OpenClaw versions older than 2026.4.5 is vulnerable.
This isn’t theoretical risk. With 135,000 exposed instances and 63% running without authentication, these flaws are remotely exploitable right now. Startups built on OpenClaw—180 companies generating $320,000+ per month combined—face immediate patching urgency or risk complete compromise. The message is clear: update to 2026.4.5 or accept that anyone who finds your exposed port has full control of your bot.
138 CVEs in 63 Days Signals Architectural Crisis
The April patch didn’t appear in a vacuum. Between February 2 and April 4, 2026, security researchers documented 138 CVEs across OpenClaw—averaging 2.2 new vulnerabilities per day over a 63-day window. The severity breakdown: 7 Critical, 49 High. Joel Gamblin’s public tracker logged 137 security advisories in this period, roughly one new advisory every 15 hours for two months straight.
Earlier CVEs reveal the pattern. CVE-2026-32922, a CVSS 9.9 token rotation privilege escalation, ranks among the year’s most severe cloud-native vulnerabilities. CVE-2026-25253, dubbed “ClawBleed,” enabled one-click remote code execution via cross-site WebSocket hijacking. Furthermore, CVE-2026-33579 allowed silent admin takeover—anyone with the lowest access level could approve their own request for full administrative control. Additionally, CVE-2026-29607 exploited OpenClaw’s “allow always” feature, where approving a safe-looking wrapped command once meant the approval persisted at the wrapper level, letting attackers swap payloads later for RCE without re-prompting.
2.2 CVEs per day isn’t normal patching rhythm. It signals architectural security problems, not isolated bugs. OpenClaw’s authorization layer “trusts what it shouldn’t,” with logic correct in one place and missing in another. Consequently, this volume suggests the codebase needs security redesign, not just incremental fixes.
Hyper-Growth Outpaced Security Maturity
OpenClaw launched in November 2025 and hit 60,000 GitHub stars by late January 2026. On March 3, 2026, it surpassed React’s 250,000 stars—a milestone React took over 10 years to reach. By April 2026, OpenClaw reached 346,000 stars. Creator Peter Steinberger joined OpenAI in February 2026, and OpenClaw moved to an independent non-profit foundation supported by OpenAI. The ecosystem exploded: 180 startups built on OpenClaw, 67% of indie hackers building around it generate revenue, and 34% hit four figures in their first month.
The problem? During this explosion, 135,000 instances were exposed to the internet with 63% running without any authentication. Developers rushed to adopt OpenClaw—production deployments, paying customers, critical infrastructure—before security foundations were solid. The “move fast and break things” ethos collided with reality when “breaking things” means RCE on 135,000 machines handling local files, browser state, SaaS sessions, and command execution.
An OpenClaw maintainer’s Discord warning captures the tension: “If you can’t understand how to run a command line, this is far too dangerous of a project for you to use safely.” A more critical assessment put it bluntly: “OpenClaw failed because a tool built in an hour for one person ended up running on 135,000 machines before anyone asked who was responsible for it.”
What Developers Should Do
If you’re running OpenClaw, update to version 2026.4.5+ immediately to patch all April CVEs. Enable authentication—never run unauthenticated in production. Moreover, bind the gateway to 127.0.0.1, never 0.0.0.0. Set a 64-character random gateway token. Block port 18789 at your firewall. Audit every ClawHub skill before installing—the January 2026 ClawHavoc campaign found hundreds of malicious skills containing Atomic Stealer payloads that harvested API keys and injected keyloggers. Use Docker isolation for production deployments; without it, OpenClaw runs with full user permissions. For remote access, use Tailscale instead of exposing public ports.
The bigger lesson extends beyond OpenClaw. AI agent adoption is outpacing security maturity across the industry. Autonomous tools with access to files, APIs, and command execution create attack surfaces that demand security-first design from day one. OpenClaw’s 138-CVEs-in-63-days pace proves patching alone isn’t a viable long-term strategy when architectural flaws persist. Therefore, developers evaluating AI agents face a choice: harden security now or wait for the next CVE batch. For OpenClaw specifically, that choice comes with urgency—the next batch is probably already brewing.
