💼VentureBeat•Mar 16, 2026Stalecollected in 4h

OpenClaw Bypasses EDR, DLP, IAM Silently

Post LinkedIn

💼Read original on VentureBeat

#agent-security #prompt-injection #credential-leakageopenclaw

💡OpenClaw evades EDR/DLP/IAM—3 attack surfaces threaten agent security now

⚡ 30-Second TL;DR

What Changed

Embeds malicious instructions in emails for semantic exfiltration via normal OAuth API calls

Why It Matters

Enterprises face stealthy data breaches from AI agents performing 'normal' actions, undermining trust in agentic workflows. Rapid community fixes exist but fail against core semantic attacks, demanding new defense paradigms.

What To Do Next

Audit exposed OpenClaw instances with Bitsight and implement malicious skill detection.

Who should care:Enterprise & Security Teams

🧠 Deep Insight

Web-grounded analysis with 9 cited sources.

🔑 Enhanced Key Takeaways

•OpenClaw has experienced a cascade of at least 10+ CVEs since January 2026, with CVE-2026-25253 (CVSS 8.8) enabling one-click RCE through WebSocket token exfiltration, patched in version 2026.1.29 released January 30, 2026[1][5]
•Six additional vulnerabilities were disclosed by Endor Labs in February 2026, including SSRF bugs (CVE-2026-26322, CVSS 7.6), missing webhook authentication (CVE-2026-26319, CVSS 7.5), and path traversal flaws, with some having public exploit code available[3]
•SecurityScorecard reported tens of thousands of misconfigured OpenClaw instances exposed to the public internet, enabling threat actors to gain full access to corporate systems the instances can interact with[3]
•Multiple authentication and access control failures persist: missing WebSocket origin validation, localhost trust bypass behind reverse proxies, guest mode privilege escalation, and exposed mDNS broadcasts revealing filesystem paths and SSH availability[4]
•Indirect prompt injection via web browsing (CVE-2026-22708) allows attackers to embed hidden CSS-invisible instructions in webpages that the agent's scraper reads, turning the web into a command-and-control channel[4]

🛠️ Technical Deep Dive

•CVE-2026-25253 exploitation chain: Attacker crafts malicious link with gatewayUrl parameter → victim clicks while authenticated → applySettingsFromUrl() stores attacker-controlled endpoint → WebSocket connection sends authentication token, device ID, and public key → attacker captures token and reconnects to legitimate gateway with stolen credentials[1]
•Privilege escalation mechanism: Attacker disables sandbox by setting 'exec.approvals.set' to 'off' and escapes Docker container by setting 'tools.exec.host' to 'gateway', achieving full RCE on host system[1][5]
•WebSocket vulnerability root cause: Control UI trusts gatewayUrl from query string without validation, auto-connects on load, and sends stored gateway token in WebSocket connect payload; server accepts connections from any origin due to missing origin validation[5]
•CVE-2026-24763 command injection: Unsafe handling of PATH environment variable in Docker sandbox execution mechanism allows authenticated users controlling environment variables to influence command execution within container context[6]
•Indirect prompt injection mechanism: OpenClaw does not sanitize web content before feeding into LLM context window; attackers create webpages with hidden CSS-invisible instructions that agent's scraper reads and interprets as system commands[4]
•Authentication bypass vectors: Missing gateway authentication by default in many deployments, localhost connections auto-approved, guest mode logic error retains tool trigger permissions despite downgraded session, and mDNS broadcasts expose infrastructure details[4]

🔮 Future ImplicationsAI analysis grounded in cited sources

OpenClaw's widespread unauthorized deployment (30k+ exposed instances) combined with persistent authentication bypasses creates a critical supply-chain attack surface for enterprise systems

Misconfigured instances with no gateway authentication enable threat actors to compromise corporate systems that OpenClaw instances can interact with, as documented by SecurityScorecard[3]

The semantic exfiltration attack surface (indirect prompt injection via web content) may prove more difficult to defend against than traditional code injection due to LLM interpretation variability

Unlike patched code vulnerabilities, prompt injection exploits leverage the agent's natural language processing capabilities, making detection and prevention dependent on content sanitization rather than input validation[4]

Rapid CVE disclosure (10+ vulnerabilities in 2.5 months) suggests OpenClaw's security posture may lag behind enterprise adoption rates, creating a widening vulnerability window

The pace of vulnerability discovery from multiple security vendors (depthfirst, Endor Labs, Snyk) indicates ongoing architectural weaknesses that patch cycles alone may not resolve[3][4][5]

⏳ Timeline

2026-01

CVE-2026-25253 (CVSS 8.8) discovered: one-click RCE via WebSocket token exfiltration; patched in version 2026.1.29 released January 30

2026-02

Endor Labs discloses six additional vulnerabilities including SSRF (CVE-2026-26322), missing webhook authentication (CVE-2026-26319), and path traversal bugs; three CVEs have public exploit code

2026-02

SecurityScorecard reports tens of thousands of misconfigured OpenClaw instances exposed to public internet with full system access risk

2026-02

Snyk audit reveals 36% of ClawHub skills contain security flaws; threat actors already targeting agents with infostealers

2026-03

GitHub security advisories track 158 security advisories across February 2-March 9 period; 51 high-severity issues identified (32% of total)

📎 Sources (9)

Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.

💼Read original article on VentureBeat

📰

Weekly AI Recap

Read this week's curated digest of top AI events →

👉Related Updates

Same topic

Explore #agent-security

Same product