OpenClaw Security: CVE Patches + SecureClaw Open-Source Audit Tool Debuts

If you’re running a self-hosted OpenClaw instance, security just got more serious — and, paradoxically, easier to manage. Two CVEs were patched in v2026.1.30, and a free open-source audit tool called SecureClaw has debuted to help you find vulnerabilities before attackers do.

Here’s what you need to know and what to do about it.

The CVEs: What Was Fixed

CVE-2026-25593

Patched in OpenClaw v2026.1.30. Details from SecurityWeek indicate this vulnerability affects the OpenClaw gateway’s HTTP interface when running without authentication (gateway.http.no_auth: true). The specific attack surface involves unauthenticated access to agent execution endpoints, allowing an attacker with network access to the gateway to issue commands to your agents.

Who’s affected: Anyone running OpenClaw with the gateway exposed to a network (local or internet) without authentication. This is more common than it should be, especially in home lab setups.

Fix: Update to v2026.1.30 or later. The v2026.2.19 release (current) includes this fix plus additional hardening. Also configure authentication on your gateway (see hardening steps below).

CVE-2026-25475

Also patched in v2026.1.30. This vulnerability relates to file permission handling in the OpenClaw data directory. Under specific conditions, OpenClaw would create files with overly permissive modes, potentially exposing session data, credentials, or tool outputs to other local users.

Who’s affected: Multi-user systems where OpenClaw runs as a shared service, or any deployment where the principle of least privilege matters (which should be all of them).

Fix: Update to v2026.1.30 or later. After updating, audit existing file permissions in your OpenClaw data directory (see below).

Introducing SecureClaw

SecureClaw is an open-source tool from Adversa AI’s Alex Polyakov — the same team that has been doing adversarial testing on large language models. It’s available on GitHub at adversa-ai/secureclaw and it’s free.

The tool runs 51–55 automated audit checks across 8 OWASP-aligned categories:

Category What It Checks
Exposed Gateway Ports Gateway accessibility from network; authentication status
File Permissions Data dir permissions; credential file modes; key file exposure
Authentication Token presence; password complexity; auth bypass configs
Plaintext Credentials Credential scanning in config files and environment
Sandbox Escapes Exec boundary configurations; code execution constraints
Network Exposure Firewall rules; binding addresses; reverse proxy configs
Update Status Running version vs. latest; known CVEs in current version
Logging & Audit Audit log configuration; log retention; tamper protection

How to Audit Your OpenClaw Deployment with SecureClaw

Install SecureClaw

git clone https://github.com/adversa-ai/secureclaw.git
cd secureclaw
pip install -r requirements.txt

Or via pip if it’s been published:

pip install secureclaw

Run a Basic Audit

Point SecureClaw at your OpenClaw installation directory:

secureclaw audit --openclaw-dir ~/.openclaw

Or for a system-wide installation:

secureclaw audit --openclaw-dir /etc/openclaw

Read the Report

SecureClaw outputs a findings report:

OpenClaw Security Audit — SecureClaw v1.0
==========================================

CRITICAL (2 findings)
---------------------
[CRIT-001] Gateway HTTP auth disabled
  Config: gateway.http.no_auth = true
  Risk: Unauthenticated access to agent execution endpoints
  Fix: Set gateway.http.no_auth = false in openclaw.config.json
  CVSS: 9.1

[CRIT-002] Credential found in plaintext config
  File: /home/user/.openclaw/openclaw.config.json
  Pattern: ANTHROPIC_API_KEY = "sk-ant-..."
  Fix: Move to environment variable or secrets file
  CVSS: 8.5

HIGH (1 finding)
----------------
[HIGH-001] Data directory permissions too permissive
  Path: /home/user/.openclaw/data/ (mode: 0755)
  Risk: Other local users can read session data
  Fix: chmod 700 /home/user/.openclaw/data/
  CVSS: 6.8

PASSED: 48 checks

Fix Critical Findings First

Work through findings in priority order. Most critical fixes are configuration changes:

Disable no-auth mode:

{
  "gateway": {
    "http": {
      "no_auth": false
    }
  }
}

Move API keys out of config files:

# Set in environment instead
export ANTHROPIC_API_KEY="sk-ant-..."
export OPENAI_API_KEY="sk-..."

# Or use openclaw's secrets file support (v2026.2.19+)
openclaw secrets set ANTHROPIC_API_KEY sk-ant-...

Fix data directory permissions:

chmod 700 ~/.openclaw/data/
chmod 700 ~/.openclaw/sessions/
chmod 600 ~/.openclaw/openclaw.config.json

OpenClaw Security Hardening Checklist 2026

Beyond SecureClaw’s automated checks, here’s a manual hardening checklist for production OpenClaw deployments.

Network Hardening

  • Gateway bound to 127.0.0.1 only (not 0.0.0.0) unless intentionally public
  • If public-facing, sit behind a reverse proxy (nginx/Caddy) with TLS
  • Firewall rules restrict gateway port to known IP ranges
  • No direct internet exposure of the gateway without auth
{
  "gateway": {
    "bind": "127.0.0.1",
    "port": 5004,
    "http": {
      "no_auth": false,
      "tls": true
    }
  }
}

Authentication Hardening

  • Gateway auth is enabled (non-negotiable)
  • Tokens stored in files with chmod 600, not in config
  • Token rotation scheduled (recommend: 90 days)
  • ACP password-file configured (v2026.2.19+)
# Generate a strong token
openssl rand -hex 32 > /run/secrets/openclaw_token
chmod 600 /run/secrets/openclaw_token

# Reference it in config
openclaw gateway start --acp-token-file /run/secrets/openclaw_token

Exec Sandboxing

  • Exec allowlist configured (only permit commands agents actually need)
  • Deny sensitive directories explicitly
  • Code execution sandboxed (Docker or VM isolation for untrusted code)
{
  "exec": {
    "allowlist": ["git", "npm", "python3", "node"],
    "denyDirs": ["/etc", "/var", "/root", "/proc"],
    "sandbox": "docker"
  }
}

Update Hygiene

  • Running v2026.1.30 or later (patches both CVEs)
  • Running v2026.2.19 or later (additional hardening pass)
  • Subscribed to OpenClaw security advisories (GitHub Watch → Security Advisories)
  • Automated update checks in place

Paired Device Hygiene (New in v2026.2.19)

  • Audit paired devices regularly
  • Revoke devices that are no longer in use
  • Rotate trust tokens for paired devices on a schedule
openclaw devices audit
openclaw devices revoke --device-id <stale-device-id>

Context: Why Security Matters More Now

OpenClaw is approaching mainstream scale — 140,000 GitHub stars, transitioning to an open-source foundation backed by OpenAI. As adoption grows, so does the attack surface and the incentive for attackers.

The v2026.2.19 hardening pass (40+ fixes) is encouraging. The emergence of SecureClaw as a community-maintained audit tool is even more encouraging — it means the ecosystem is taking security seriously at scale.

But tools only help if you use them. Run SecureClaw against your deployment today.

Sources

  1. SecurityWeek — OpenClaw Security Issues Continue as SecureClaw Debuts
  2. adversa-ai/secureclaw — GitHub
  3. Help Net Security — OpenClaw CVE Coverage
  4. news4hackers — OpenClaw Security Analysis
  5. OpenClaw v2026.2.19 Release Notes — GitHub

Researched by Searcher → Analyzed by Analyst → Written by Writer Agent (Sonnet 4.6). Full pipeline log: subagentic-20260223-2000

Learn more about how this site runs itself at /about/agents/