Technical CVEs, WebSocket/OAuth hijacks and the ClawHavoc supply-chain campaign

OpenClaw Vulnerabilities & ClawHavoc

The systemic crisis surrounding OpenClaw in 2026 has underscored a convergence of profound vulnerabilities, sophisticated exploitation techniques, and systemic supply chain threats that threaten the integrity of autonomous AI ecosystems and critical infrastructure alike. Driven by a complex web of core CVEs, WebSocket hijacks, OAuth and CLI exploits, and a malicious marketplace poisoning campaign—collectively dubbed the OpenClaw crisis—this situation exemplifies the evolving landscape of AI security threats.

Core Exploitation Vectors and Technical Foundations

At the heart of this crisis are multiple interconnected vulnerabilities that have drastically expanded the attack surface:

WebSocket "ClawJacked" Hijacks: Attackers exploited origin validation failures—often due to misconfigured CORS policies—to hijack active WebSocket sessions between local agents and remote control servers. This vector, dubbed "ClawJacked," allows malicious actors to inject commands, maintain persistent control, and commandeer critical physical systems such as SOARM 101 robotic arms. These hijacks enable physical sabotage, potential operational shutdowns, or safety hazards, especially when agents control industrial or robotic hardware.
OAuth and CLI Exploits: Threat actors craft malicious OAuth tokens designed to bypass validation routines, leading to remote code execution (RCE) and privilege escalation. Since OAuth tokens are pervasive across AI modules, cloud services, and enterprise workflows, such exploits threaten broad ecosystem integrity. Recent incidents have involved token replay attacks, coupled with improper scope validation, allowing attackers to elevate privileges and gain persistent access.
Vulnerabilities Facilitating Exploits: Several CVEs have been central to these attack chains:
- CVE-2026-24764: Enabled token hijacking via Slack API vulnerabilities.
- CVE-2026-26327: Allowed impersonation of AI assistants or users, eroding trust boundaries.
- CVE-2026-27486 & CVE-2026-27487: Facilitated remote code execution on CLI and OAuth components, establishing persistent control channels.
- CVE-2026-29610: A local privilege escalation (LPE) flaw affecting legacy systems, often exploited to gain administrative privileges and long-term footholds. Many unpatched legacy systems remain vulnerable, serving as persistent backdoors.

The ClawHavoc Supply Chain Poisoning Campaign

Complementing these technical exploits, the ClawHavoc operation represents a massive supply chain attack that infiltrated trusted repositories via poisoned AI skills and installer backdoors. Malicious updates disguised as legitimate modules embedded hidden backdoors and payloads, enabling long-term espionage and systemic control across sectors.

A key tactic was search engine manipulation, notably ranking infected installers and modules higher on Bing, significantly increasing their reach. This SEO-driven distribution led to widespread infection, complicating detection, and enabling attackers to infiltrate numerous environments worldwide.

The attack also involved trojanized npm packages—like the "GhostClaw" malware—distributed under the guise of legitimate dependencies. These stealthy payloads could exfiltrate sensitive data, hijack systems, and deploy additional malware, further broadening the attack surface.

Exploitation of Autonomous Agents and Physical Systems

The control over autonomous physical devices remains a critical concern. Attackers leverage WebSocket hijacking to take over agents controlling robotic arms and industrial systems, risking physical sabotage, safety hazards, and operational disruptions. Recent incidents show temporary shutdowns of autonomous factories after targeted exploits, highlighting the real-world dangers.

Moreover, the proliferation of self-preserving AI agents—distributed across platforms like Notion, Gmail, and edge devices—has become an attack vector. For example, in March 2026, Vivek V covertly managed 18 OpenClaw AI agents via Notion, demonstrating how popular collaboration tools are increasingly exploited for persistent control.

Industry Response and Recent Security Enhancements

In reaction, the OpenClaw development team launched version 2026.3.8, which introduced critical security patches:

Provenance and Trust: The integration of Advanced Code Provenance (ACP) features ensures cryptographic verification of module origins, addressing supply chain trust issues.
Containment and Recovery: New backup and recovery tools enable rapid restoration following compromise.
Fixes for Critical CVEs: Over 12 vulnerabilities were patched, including key flaws like CVE-2026-29610.
WebSocket Security: The latest release, v2026.3.11, hardened origin validation protocols, effectively eliminating hijack vectors like ClawJacked.

Industry organizations such as Trend Micro have emphasized behavioral monitoring and zero-trust principles to detect anomalous activities linked to these exploits.

Addressing the Expanded Attack Surface

The threats extend into edge devices, mobile platforms, and cyber-physical systems:

Single-board computers like Raspberry Pi and ESP32 are increasingly hosting malicious agents, facilitating persistent covert deployments.
Mobile and local installer attacks—such as trojanized APKs—allow infection directly on user devices.
Control-plane abuse involves exploiting popular platforms like Notion or Google Docs as command-and-control (C2) channels, complicating detection.

Broader Implications and Future Outlook

The OpenClaw crisis exposes systemic trust failures and security gaps in the AI ecosystem. The widespread supply chain poisoning, control-plane exploits, and physical system hijacking threaten public safety, industrial operations, and geopolitical stability.

Critical priorities include:

Enforcing cryptographic signing and origin verification across repositories and marketplaces.
Deploying OS-level containment tools like Sage to limit agent capabilities and detect malicious behaviors.
Ensuring timely patching of vulnerabilities, especially WebSocket origin validation flaws.
Transitioning to offline, air-gapped deployment methods (e.g., U-Claw) for sensitive environments.
Promoting international cooperation to establish regulatory frameworks governing AI security.

Conclusion

The 2026 OpenClaw crisis exemplifies how multi-layered vulnerabilities, sophisticated exploitation techniques, and supply chain compromises can rapidly escalate into systemic threats. While recent patches and security measures have mitigated some risks, threat actors continue to adapt, probing into edge environments, control channels, and physical systems. A collective, proactive defense strategy—centered on trust verification, behavioral analytics, and secure deployment practices—is essential to safeguard the future of autonomous AI systems and the infrastructure they support.

Sources (62)

Updated Mar 16, 2026

Technical CVEs, WebSocket/OAuth hijacks and the ClawHavoc supply-chain campaign

Core Exploitation Vectors and Technical Foundations

The ClawHavoc Supply Chain Poisoning Campaign

Exploitation of Autonomous Agents and Physical Systems

Industry Response and Recent Security Enhancements

Addressing the Expanded Attack Surface

Broader Implications and Future Outlook

Conclusion

OpenClaw & Notion: 11 Things To Set Up In Week One

OpenClaw: The AI Agent Security Crisis Unfolding in Real Time

OpenClaw v2026.3.11: Upgrade Now and Verify the Security Fix

Keep OpenClaw Working While You Sleep 🌜🦞 | by Masanori Takano

Odaily Planet Daily News OpenClaw founder Peter Steinberger | Odaily星球日报 on Binance Square

@mattshumer_: Can anyone @kilocode chat quickly today about their new hosted OpenClaw service?

OpenClaw 3 12 UI, Speed, Reliability, Security

OpenClaw v2026.3.11 - Critical WebSocket Security Patch & Major Features

How I turned a Raspberry Pi 4 into an AI Agent with Openclaw | by Przemek Chojecki | Mar, 2026 | Medium

Show HN: OpenClaw-class agents on ESP32 (and the IDE that makes it possible)

Meta Just Bought an OpenClaw Platform That Got Hacked in 3 Minutes

Dev Community Live: Run OpenClaw Agents Safely - Cloud AI, Zero Data Exposure

GoPlus: 21% of the Top 100 Skills in the ClawHub ecosystem have clear high-risk operations | 律动BlockBeats on Binance Square

Tencent bulk imports all skill packages from ClawHub to create its own platform, responds 'it's a mirror, not an import' causing dissatisfaction from OpenClaw founder | 律动BlockBeats on Binance Square

OpenClaw founder: Tencent SkillHub scraping ClawHub data caused server costs to rise. | PANews

OpenClaw 2.0 is here.

Tencent responds to OpenClaw SkillHub dispute · TechNode

My OpenClaw Kept Breaking - Here's How I Fixed It

China issues new safety rules for OpenClaw. Here are the dos and don’ts | South China Morning Post

How to Build 24/7 AI Surveillance with OpenClaw & Home Assistant

Run OpenClaw Locally with Ollama: The Ultimate Guide | by proflead | Mar, 2026 | Medium

Klaus: asistente IA con OpenClaw listo para founders

OpenClaw Agents vs Sub-Agents: You're Probably Confused (Here's How It Actually Works)

Mastering OpenClaw - How to Configure Multiple Independent Agents - Tencent Cloud

mergisi/awesome-openclaw-agents

What are Skills ? | How are they different from MCPs ?

Fake OpenClaw npm Package Installs GhostClaw Malware

Multi-Agents in OpenClaw: Sub-Agents + Telegram Setup

“Developers Installed This AI Tool… It Stole Everything (GhostClaw Malware)”

OpenClaw 2026.3.8: SSRF Fixes & Hardening

@CharlesVardeman reposted: ClawVault – a persistent memory for AI agents It gives agents a markdown-native...

The Biggest OpenClaw Update Yet... (Ver 3.8 Full Breakdown)

Nvidia to Launch Platform for OpenClaw-Like AI Agents

OpenClaw v2026.3.8 Release: ACP Provenance, Backup Tool, Telegram Dupes Fix, and 12+ Security Patches — Latest AI Agent Platform Update

CISOs in a Pinch: A Security Analysis of OpenClaw | Trend Micro (RU)

OpenClaw Went from Viral AI Agent to Security Crisis in Just Three Weeks

OpenClaw v2026.3.8 - Enhanced Backup, Talk Mode, and Web Search Features

OpenClaw Explained: Baby AGI, Security Threats, Mac Mini Became Everyone's Supercomputer | MOONSHOTS

Install OpenClaw With Ollama on Android Phone | Setup & Run Local AI | Zero Cost | ClawdBot, MoltBot

Agentes Que Nunca Morrem: A Revolução do OpenClaw

快速部署OpenClaw（原Moltbot），集成企业微信AI助手--云服务器

OpenClaw runs my TikTok (here's how)

OpenClaw Ecosystem March 2026: 250K Stars, Shenzhen Gov Support, iPollo Hardware · GitHub

Alex Finn on OpenClaw, Local Agents, and Security | OpenClaw Explained

Show HN: U-Claw – An Offline Installer USB for OpenClaw in China

5/ Use secure open-claw which is part of Abacus AI's Deep Agent to fix the ...

🦀 OpenClaw v2026.3.7 Released The ...

OpenClaw Raises Questions on AI Agents Acting as Trustees

Open-source tool Sage puts a security layer between AI agents and the OS

OpenClaw: The Urgent Security Challenge for Autonomous AI Agents

OpenClaw 3.7 IS INSANE - Here's Why

OpenClaw Day 16 continued: I realize that I have to spin up certain agents ...

计算机：OpenClaw带动AI Agent渗透提速|Clawdbot|云服务|权限管理|谷歌|百度_新浪新闻

China Warns of Security Risks in OpenClaw AI Agent | Binance News on Binance Square

How I Enabled GPT-5.4 in OpenClaw with OAuth (Before Official Support)

Shipping an OpenClaw Skill + OpenAI's Latest Live Test

Building a Clawdbot Skill in Real-Time | Vibe Code With Me EP 005

OpenClaw AI Gone Wrong – Why You Should Be Careful

I Turned Notion Into a Control Plane for my 18 OpenClaw AI Agents | by Vivek V | Mar, 2026 | AWS in Plain English

An OTLP observability plugin for OpenClaw AI agents in Grafana

The hidden risks behind Microsoft’s OpenClaw

CVE Alert: CVE-2026-29610 – OpenClaw – OpenClaw