Security

The OpenClaw RCE That An AI Found in 2 Hours — And How to Close It

April 18, 2026 · 8 min read

TL;DR In January 2026, security firm Ethiack pointed their autonomous AI pentester at a live OpenClaw Gateway and found a 1-click account takeover leading to Remote Code Execution — in under 2 hours, with no human guidance. The CVE is patched, but the threat model it revealed is permanent. Here's what it means for your deployment and the hardening checklist that actually closes the gaps.

Most people running OpenClaw are thinking about use cases — what tasks to automate, which models to connect, how to wire up their channels. Security is an afterthought, if it's a thought at all.

Then January 2026 happened.

Security research firm Ethiack deployed Hackian, their autonomous AI pentester, against a live OpenClaw Gateway instance. No human guidance. No pre-existing knowledge of the target. Two hours later, they had a working 1-click Remote Code Execution chain that could compromise any user who clicked a single link.

The vulnerability was reported January 26, patched in main January 28. But the threat model it exposed didn't go away with the patch.

The Four Ways OpenClaw Deployments Get Compromised

The Ethiack research, combined with the 82 CNNVD-cataloged vulnerabilities from early 2026, reveals a consistent pattern. Incidents cluster into four categories:

1. Identity & Access Failures

Shared operator accounts with no separation
Long-lived API tokens reused across dev and production
No distinction between admin-level and operator-level actions
Gateway exposed to the public internet without authentication

2. Prompt & Tool Execution Abuse

Prompt injection from external sources hijacking agent behavior
Overly broad tool permissions (exec enabled with no allowlist)
Browser automation running against authenticated sessions with no guard rails
Webhook handlers accepting payloads without validation

3. Secret & Data Leakage

API keys visible in logs or shell history
PII passed into agent context without masking
Secrets stored in plaintext config files tracked by git

4. Weak Monitoring

No audit log for high-risk actions (exec, config changes, message sends)
No anomaly alerts — attacker has unlimited dwell time
No tested incident response playbook

🔴 The Ethiack finding in plain English

If your OpenClaw Gateway is reachable from the internet and you haven't explicitly locked down auth, tool permissions, and exec access — you have a version of the same exposure they found. The specific CVE is patched. The attack surface it lived in is not automatically gone.

The Hardening Checklist (Operational Baseline)

🔒 Identity & Auth

Gateway is NOT exposed on a public IP without auth
Discord/Telegram access limited to specific user IDs, not open DMs
API tokens rotated and stored in .env (gitignored)
Separate tokens for dev and production environments

🔒 Tool Permissions

Elevated exec requires explicit approval (requireApproval: true)
Elevated exec allowFrom locked to known user IDs only
Web fetch has a domain allowlist (not open to any URL)
Message tool limited to approved channels
No tool group permissions broader than what's needed

🔒 External Content

Running 2026.4.14+ (external content sandboxing active)
Webhook payloads validated before processing
Agent does not act on instructions found in fetched web content

🔒 Secrets & Data

.env in .gitignore — verified clean with git log -p -- .env
No API keys hardcoded in SOUL.md, AGENTS.md, or any tracked file
Logs reviewed — no secrets appearing in output

🔒 Updates

Running latest OpenClaw (openclaw --version)
Update cadence defined — checked at least weekly
Rollback plan exists if an update breaks something

The Config That Closes Most of It

This isn't a complete hardened config — every deployment is different. But this covers the highest-leverage settings:

{
  "tools": {
    "elevated": {
      "enabled": true,
      "requireApproval": true,
      "allowFrom": ["your-discord-user-id-here"]
    },
    "webFetch": {
      "allowlist": [
        "docs.openclaw.ai",
        "github.com/openclaw"
      ]
    },
    "message": {
      "allowChannels": ["discord"]
    }
  },
  "channels": {
    "discord": {
      "dmPolicy": "pairing",
      "groupPolicy": "allowlist"
    }
  }
}

⚠️ Don't set it and forget it

Config hardening is a point-in-time snapshot. Every new plugin, skill, or channel you add expands the attack surface. Review permissions when you add something new — not just at setup.

What the Ethiack CVE Tells Us About AI Agents Generally

The most unsettling part of the Ethiack finding wasn't the vulnerability itself — it was the speed. An AI pentester found and validated a critical RCE chain in under 2 hours against a live production target.

That's the new baseline. Attackers don't need to be experts anymore. They can point AI tools at exposed services and let them probe autonomously. The bar for "secure enough" just got significantly higher.

For OpenClaw operators, this means the era of "it's probably fine, I'm not a big target" is over. AI agents running with production access are, by definition, high-value targets. Treat them like it.

✅ Good news

The patching timeline was fast — 2 days from report to fix. The OpenClaw team takes security seriously. Your job is to stay current and apply the controls above.

When to Get a Professional Audit

The checklist above handles the obvious gaps. But there are deployment-specific risks that need eyes on your actual config: How are your skills structured? What does your SOUL.md reveal about your business operations? Are your webhook endpoints authenticated? What tools does your agent have that you've forgotten about?

That's what a ClawReady security audit covers. We review your full deployment — config, skills, channels, exec permissions, secrets hygiene — and give you a prioritized fix list. $49 flat, about an hour.

Get Your OpenClaw Deployment Audited

We'll find the gaps before an AI pentester does. $49 flat — full config review + prioritized fix list.

Book a Security Audit →