OpenClaw privilege escalation vulnerability(nvd.nist.gov) |
OpenClaw privilege escalation vulnerability(nvd.nist.gov) |
[[attacking project creators when they show up to discuss their work is particularly harmful; please don't ever do that here]]
[[[if you posted any of these, we'd appreciate it if you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules from now on]]]
I see you haven't heard of Microsoft...
- "You're absolutely right. One should read and understand their own code. I did, and it looks great"
All new technology has issues. Figure it out.
Especially if you're spending $3k per month on inference, have the model fix the agent.
I suppose the idea is to wait for someone else to productize it.
Lazy.
OpenClaw is probably entering a phase of it's life where prototype-grade YOLO processes (like what the tweet describes) aren't going to cut it anymore. That's not really a criticism, the product's success has over vaulted it's maturity, which is a fortunate problem to have.
Who wants the fame must also take the blame.
Especially if they create a dangerous tool.
Edit: there was another case of this recently:
https://news.ycombinator.com/item?id=47576107
https://news.ycombinator.com/item?id=47576084
The point is that mob dynamics do more damage to the community than the threads add value, and protecting the community has to be the high-order bit.
Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.
Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.
Please don't fulminate. Please don't sneer.
Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.
The guidelines still apply, even if you feel negatively towards a project and its creator. Indeed it's even more important to make the effort to heed the guidelines for topics you feel negatively towards (after all, it's easy to be respectful about things we feel positively towards).
> Just trying to figure out where the line is
It's not really about a line, it's about the qualitative style of discussion we’re here for. HN is for people who like to build things and work on interesting new projects, and have curious conversations about what they're building. Projects that are new and built in different ways than what has come before will always be easy to criticise from a position of conformity to historical conventions, but if we all thought that way, nothing new would ever be built.
> I do think snark is a valid form of criticism sometimes
Not on HN. Thoughtful criticism is fine, and the very first two words of the “In Comments” section of the guidelines are “be kind”.
> but it's your house after all
That's not how we think about it. We’re custodians of this place and our role is to keep it a healthy place for discussion among intellectually curious hackers. It takes daily work and effort to uphold the guidelines and keep the standards up so that it doesn’t become the hellscape of negativity that it's often stereotyped as being.
The use of terms like “moral bankruptcy” is exactly what the guidelines ask us to avoid, indeed explicitly so with the phrase “Assume good faith”.
Part of the challenge of participating on HN is to be able to come into contact with people who see and do things differently (including building software projects in a way that's different from the way we consider proper) and find a way to recognize that they are still acting in good faith and deserving of basic courtesy.
This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
* 135k+ OpenClaw instances are publicly exposed
* 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
Is this accurate? This is definitely a very different picture then the one you paint
What exactly does this mean? You have contracts with these companies? People who work for them contributed sometimes in the past to openclaw repository?
NVIDIA is contributing to the security of OpenClaw via NemoClaw.[0]
Not sure about ByteDance and Tencent.
Most of these larger players are interested in supporting anything that helps grow the ecosystem so broadly.
That user said that they use OpenClaw to scrape city meetings for context so that they can more efficiently participate in local politics. You then attacked them, accusing them of "leaving AI slop comments on public city meetings", which isn't what they said they were doing at all.
I see absolutely no problem in using AI to summarize large quantities of information (such as a collection of city meeting notes). Summarization is one of the places that AI really shines right now, and if it helps people wrap their head around what is happening in their communities, good!
I understand a healthy skepticm of AI. Everyone should have some degree of that. But maybe avoid the urge to publicly shame people for their use of AI, especially on a site like this where that won't be received well. Or, if you're going to offer criticism, show some tact.
I can understand why, but given that OpenClaw has taken over the world, I find the lack of a ShowHN somewhat interesting.
Currently we're at 1.8 CVEs per day since OpenClaw launched!
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
I do disagree about unix system were designed for this kind of stuff. Unix was not designed for an agent to act like you and take decision for you...
Putting data and instructions in the same memory was always a bad idea - LLMs just took this to the extreme by making data and instructions the same thing.
Not too much harder is using a VM:
With Apple's open-source container tool, you can spin up a linux container vm in ~100ms. (No docker root)
With Apple virtualization framework, you can run macOS in a VM (with a separate apple id).
Right, these are system accounts. They don't have access to anything except their own home folder and whatever I put in their .bashrc. `sudo` is a pretty easy sandbox by itself and lets me manage their home folders, shell, and environment easily just with the typical Unix-isms. No need for mounting VM disks, persisting disk images, etc.
I don't need virtualization to let Claude Code run. I just let it run as a "claude" user.
If you're running OpenClaw, you probably didn't get hacked in the last week.
Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263
https://github.com/openclaw/openclaw/commit/5643a934799dc523...
A malicious web page runs JavaScript that makes a fetch() or XMLHttpRequest to http://localhost:CLAWPORT — your browser executes that from your machine, so it bypasses your router/firewall entirely. If OpenClaw is listening on localhost with no auth, the browser just connects to it. Same-origin policy doesn’t save you because the request originates from your own machine.
(I’ve never used any of them.)
So you take the output of an LLM, which is obviously impossibly to guarantee correct, and use that to choose a tool and execute it. Like, send an email or whatever. And you take the input for that LLM not only from prompts, and various files, but also your system and random stuff you download from the internet.
I am telling you people, this is lunacy. No good can come of this.
Run it as root it will have root caps, run it as ritcgab it will have ritcgab's caps. Same as every other program.
Or inviting any legal or regulatory scrutiny.
They don’t even read the code in any serious capacity so excuse me for not taking any assessment of the situation from him too seriously. Might as well just ask Claude Code to assess it yourself.
Welcome to the world vibe coding created. The fun is only just beginning.
Hard disagree. Vibe coding isn't responsible for people not doing the slightest due diligence when running this (pardon my French) shit. You can vibe code stuff and keep it at a much higher quality. And you can check who did the vibecoding and how they approached it, so the burden also falls on the person running the stuff to understand what they're running. This isn't an enterprise level application that has a full team behind it that had an issue. This is a pandora's box vibecoded overnight for fun, full of stuff we don't even know about, that was opened the moment you touched it with a stick.
Shipping at the speed of inference for real.
But coding is solved? Why do you need those guys if all they do is use claude code? Just have it solve it overnight. You forgot to prompt "make it secure pls"?
My belief, is the people who post this quote thinking it's some big win are the same people who are upset they can't post "stochastic parrot" anymore.
And we all saw how that went.
LLMs are patient, tireless, capable of rigorous opsec, and effectively infinite in number.
This is bad.
Too much focus on shipping features, not enough attention to stability and security.
As the code base grows exponentially, so does the security vulnerability surface.
However:
> Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
I'd say that it's a given that we live in a world when your LAN is infested with compromised and hostile devices: from phones (spying devices) to home automation (spying chinese webcams) to TVs (with the TV's microphone listening 24/7 to everything people are saying) to chinese routers (which, yup, have backdoors for the chinese state) to that corean soundbar to really whatever enshittied device the world of enshittified turds we live in can come up with.
It is a fact of life that compromised, insecure, backdoored and at times all three of these shall find their way to our homes and appartments...
And it shouldn't be an issue.
What I mean by this: machines could be scanning my local networks and even maybe determine that this box at this IP is running Linux and... It still should be able to do exactly jack fucking shit with that information.
We must all learn to secure our devices for the Internet of Insecure and Enshittified Things is moving forward at godspeed. And if you think OpenClaw on its own device on your LAN is bad, wait until all the companies that were already selling enshittifed devices since years realize they'll now be able to enshittify those even more by slapping OpenClaw (or the equivalent) on their devices.
These insecure turds are all going to get a big boost of insecuredness, this time AI powered.
I'd say: bring it on. I'm ready. We all should be.
Vibe coding obviously doesn’t make something insecure, per se, but saying it doesn’t reduce the attention paid to any given line of code, or encourage less knowledgeable people to write code, seems pretty dubious to me.
The Claude Code team is clearly competent and professional, yet they accidentally published the proprietary source code for one of the world’s hottest products. That’s like a Bank manager walking away with the keys in the door and alarm disarmed. When’s the last time you heard of a human team of developers doing that?
Again, I’m not saying that vibe coding necessarily creates unsafe code, but I don’t see how anyone could say vibe coding was devoid of security implications. I think this is an organizational/logistical problem that we’ll figure out at some point, but in think it’s going to be more of a C buffer overflow ‘figured out’ that never really goes away.
Steinberger has said he doesn’t look at (most) the code.
Right. It’s always the people. They just tend to bodge things. All the time. So when there’s new foot guns, the inevitable will happen.
It also have mine automatically grabs a spot at my gym when spots are released because I always forget.
I'm just playing with it, it's been fun! It's all on a VM in the cloud and I assume it could get pwned at any time but the blast radius would be small.
seems far more efficient/reliable to get codex/claude code to write and set up a bot that does this.
The thing where you give it access to all your personal data and whatever I haven't done and wouldn't do.
I think devs are too focused on the technical what did u build with it.
For example. My brother runs a small recruiting agency. Super nontechnical. Out of nowhere he asks me about openclaw. Then with no help, he sets it up and uses it. Still no help, he has all kinds of nonsense hooked up and running blowing through tokens. He is blown away by it and wants to get it for all of his employees. He thinks about it in terms of cost per min running and not in tokens.
This is the sticky gooey value to whatever openclaw is doing.
I say to it: check my pending tasks on Todoist and see if you can tackle on of those by yourself.
It then finds some bugs in a webapp that I took note. I tell it to go for it, but use a new branch and deploy it on a new url. So it clones the repo, fix it, commit, push, deploy, and test. It just messages me afterwards.
This is possible because it has access to my todoist and github and several other services.
Sometimes it toils away for 2+ hours, spawning Claude Code instances, checking its work, testing the code, even using browser automation to make sure everything works the way it is supposed to if it's writing a webapp.
In the end, it consumes like $10-20 worth of tokens and spits out a functional application with everything I asked for.
Claude Code can do this on its own, to an extent, but there's something about getting OpenClaw to iterate through multiple sessions and testing everything to make sure it works the way I described that I really like. It completely offloads the process to the AI, and keeps me mostly out of the loop.
Is the code any good? Probably not. Am I at risk of being exploited by malware? Probably. But I have automated quite a lot of things with the software that OpenClaw builds for me, and I am careful to review the libraries it imports before running the code on any machine with actual access to anything I actually care about.
Personally, anyone using OpenClaw for the "it reads your emails" use case is crazy, because prompt injection is real, and you're basically inviting anyone who knows your email address to take a stab at pwning you, with full access to your personal life. I keep my instances on a VPS, behind a restrictive security group, and only accessible via Tailscale where it has zero access to anything on my tailnet. I only recently gave it its own email account (not mine!), but even then I am skeptical of doing so, and take efforts to prevent it from taking action on any email it receives (e.g., disabling the Heartbeat) because who knows what it'll end up doing. I mostly like that it can email me if I ask it to.
[0] https://itmeetsot.eu/posts/2026-03-27-openclaw_webfetch/
...and to laugh a little every time it calls me "commander" or asks "What's the next mission?" or (and this is the best one) it uses the catchphrase I gave it which is "it's probably fine" (and it uses it entirely appropriately...I think there must have been a lot of sarcasm in qwen 3.5's training data)
and I've treated it like it's already been compromised the whole time.
The way I'm seeing folks responsibly use OpenClaw is to install it as a well-regulated governor driving other agents and other tools. It is effectively the big brain orchestrating a larger system.
So for instance, you could have an OpenClaw jail where you-the-human talk to OpenClaw via some channel, and then that directs OpenClaw to put lower-level agents to work.
In some sense it's a bit like Dwarf Fortress or the old Dungeon Keeper game. You declare what you want to have happen and then the imps run off and do it.
[EDIT: I truly down understand sometimes why people downvote things. If you don't like what I'm saying, at least reply with some kind of argument.]
My interpretation is that 135k instances are vulnerable, but of those there's more conditions that need to be met, specifically:
These need to be multi-user systems where there are users with 'basic pairing' privileges. Which I don't think is very common, most instances are single-user.
So way less than the 135k number. I think a more accurate title would have been "If you're running OpenClaw, you are probably vulnerable" but not "you probably got hacked", that's just outright false and there's no evidence that the exposed users were ALL hacked.
> What does Telegram/Discord have to do with anything? The OP never mentioned either of these software suites. In fact the only mention of Telegram anywhere in the entire thread is you copy-pasting this exact message.
Yesterday I did care. Today? Not so much. Welcome climate change, we fully deserve it.
Otherwise I would say “you may have been hacked” not “you probably have been hacked”.
/s
But he already did this. With a bonus of it will continue to work in the future if something breaks or changes. Human time is more precious than computing resources nowadays.
I think Simon Willison said it best some weeks ago: He's capable of writing a bot like this - both before and after LLMs came on the scene. However, the reality is he never wrote one, despite wanting to many times.
Yet in just 2-3 weeks of using OpenClaw[1], I did this a few times.
Recall a year or so ago in the early days of vibe coding when people kept saying "I don't need AI to write code. It does a crap job and I can do it myself. Who needs LLMs to do it?" - You'd get lots of people countering with "Oh, in a few weeks I've written lots of automations that I'd been thinking about for months/years - that I likely would never have written without AI coding tools".
The key is the lower barrier to producing something. OpenClaw is to using CC to write that bot as using CC was to writing code by hand. I can be doing work, shopping, etc and when an idea pops into my head, I casually send a note to my Claw instance (voice or text) asking it to look into it or try making it. It doesn't do a great job, but the expectations of success are similarly low. But when it does do precisely what you need it to: Oh boy, you're happy that it saved you time, etc.
[1] I no longer run it, for very boring reasons.
You say that, but you also say
> I’m not an openclaw user
Your first statement makes the second one rather obvious.
As I said some weeks ago, I've given up pointing out on HN: "Well, you could just not give it your data" only to be repeatedly told (by non-users) that the whole point is to give it all your data.
And the myth continues...
> Clears your inbox, sends emails, manages your calendar, checks you in for flights. > All from WhatsApp, Telegram, or any chat app you already use.
The _entire point_ is "give me access to email, calendar, whatsapp, telegram, and I'll do your admin".
> "Well, you could just not give it your data"
This is the "you're holding it wrong"[1] argument
[0] https://openclaw.ai/.
[1] https://www.engadget.com/2010-06-24-apple-responds-over-ipho...
But isn't that what you're doing?
Every single submission on HN has threads where people point out how it's useful to them without giving it access to much/any data. What is the benefit of pointing out what the homepage is saying other than to imply that we are holding it wrong?
And what does it say about you that you're going off based on marketing on a website rather than actual, competent tech users who actually weild the tool?
Until recently Gentoo boasted performance as a reason to use it. Yet as someone who's been in the community for over 20 years, I can assure you the majority of users didn't care about the performance and aren't optimizing their builds for it. Who cares what the site says?
That doesn’t mean this isn’t a critical vulnerability, and I think it’s insane to run OpenClaw in its current state. But the current headline will burn your credibility, because 80% of users will be fine with no action, and they’ll take future security issues less seriously as a result.
I feel like just filtering this comment out is a mistake. I use AI, and I think there is a place for it, but if a colleague said "Here's a PR, I didn't even review it" I'd send it back and say "Well you better review it!"
How AI is used is 100% a topic for debate, ranging from "All AI is bad" to "there will be no coding, just vibes". You agree with this right? That there are a range of developers who believe different things all along this spectrum, and that for some developers un-reviewed code is the CAUSE of bad code.
If you think you need to give it the keys to your kingdoom to be useful, you are not actually experimenting with this stack but regurgitating the words of others. I really don't understand the mindset of comments like this.
I’m also not sure that the distinction of dev makes much of a difference in this space because chatbot marketing works pretty damn hard to imply everybody is a prompt away from being a developer. How are those people going to know that they aren’t even qualified to make any given technical decision, let alone evaluate the output of a confident chatbot that’s magically writing programs for them?
I'd also instantly hit Claude Desktop's rate limits with this I reckon. Since Claw uses APIs, you bypass those limits and can route the messy scraping to cheap models, saving expensive ones for the actual analysis. It also handles Playwright integration and state persistence out of the box so a crash doesn't wipe your progress.
If I'm wrong, I'm open to learning. I'm as new to this as everyone :)
For example you mentioned playwright? That can be automated. It doesn’t need to be a free form tool that the agent uses at will.
If that means the scripts need to be adopted to changes, then that’s a separate, controlled workflow.
This approach can save you a ton of tokens, increasee reliability and observability, and it saves compute as well.
Sometimes it‘s useful to let the agent do things fully agentic, so you can then iteratively extract the deterministic parts.
Nooope. Reread the thread from my comment up: they were arguing about whether that percentage of users warranted saying ‘probably’ in the headline. Nobody was even questioning the numbers at that point. Just people taking it at face value, getting defensive, and trying to minimize what it said.
Do you so stringently examine most CVEs? I’ll bet you don’t. Are you a big fan of this project? I’ll bet you are. Do you have any actual data to counter what they said or do you just sort of generally not vibe with it? If so, now would be a great time to break it out while this is still fresh. If not…
My main takeaway message is: models (even opus4.6) do not follow security "instructions" reliably. In OpenClaw, they added security warnings, tags, random IDs... None of these countermeasures work reliably. Even sandboxing can be escaped (not in the classical sense using vulnerabilities, but using multi-layered prompt injection payload with natural language only)[0]. As soon as untrusted content is injected in the context, do not trust any actions downstream.
CaMeL is imho safer, but hard to implement into modern agents like OpenClaw. Its core idea is that a privileged LLM plans from the (trusted) user request only, while a restricted interpreter executes that plan (and enforces policies). Untrusted content is parsed separately and is not fed back into the privileged LLM.
Modern agents are useful exactly because they run a feedback loop (observe, reason, adapt, use tools, repeat). CaMeL breaks that loop, which improves security but makes it a poor fit for highly general agents like OpenClaw.