OpenClaw security crisis — patches, supply-chain exploit, phishing, CVEs, hardening, China guidance & Anthropic blocks
Key Questions
Why is updating to OpenClaw 4.9 critical?
OpenClaw 4.9 includes critical patches for SSRF, ENV/node exec, plugins, and dreaming memory vulnerabilities. Earlier versions are at high risk of exploits like ClawJacked and RCEs, including CVE-2026-25253 (patched) and CVE-2026-32042 (unpatched). Immediate updates are urged to mitigate supply-chain exploits, phishing, and other security issues.
What security guides and resources are available for OpenClaw?
CAAIIA's lifecycle risk guide and self-inspection tools align with NSFOCUS, CNCERT, Kaspersky, and Red Hat recommendations. Red Hat provides guidance on building resilient guardrails for OpenClaw AI agents on Kubernetes. Sophos conducted pentests revealing findings from running OpenClaw on internal networks, promoting secure stacks like NemoClaw + Ollama.
What is ClawJacked in relation to OpenClaw?
ClawJacked refers to RCE vulnerabilities affecting OpenClaw, such as CVE-2026-25253 (patched in v4.9) and CVE-2026-32042 (still unpatched). These exploits highlight supply-chain risks and node execution issues. Users should update and follow hardening guides to prevent compromise.
How has Anthropic responded to OpenClaw?
Anthropic has blocked OpenClaw access and introduced fees for using Claude models with it. This follows concerns over heavy usage and security. Alternatives and discussions on 'now what' are emerging in response.
What secure deployment options exist for OpenClaw?
Sophos recommends secure stacks like NemoClaw + Ollama based on pentest results. Red Hat offers Kubernetes guardrails for resilience. Follow CAAIIA, NSFOCUS, CNCERT, and Kaspersky guides for hardening and self-inspection.
v4.9 critical patches SSRF/ENV/node exec/plugins + dreaming mem; CAAIIA lifecycle risk guide/self-inspection aligns NSFOCUS/CNCERT/Kaspersky/Red Hat; ClawJacked/RCEs (CVE-2026-25253 patched, CVE-2026-32042 unpatched); Anthropic blocks/fees; Sophos pentest/secure stacks (NemoClaw+Ollama).