How can organizations mitigate the risks associated with OpenClaw?

Organizations should update OpenClaw to the latest version, implement strict access controls, limit the agent's autonomous actions, and continuously monitor its activities to detect and prevent unauthorized operations.

Why is the OpenClaw vulnerability significant?

The vulnerability highlights the broader security challenges posed by autonomous AI agents, emphasizing the need for robust governance frameworks to manage their integration into critical business processes securely.

Critical Security Flaws Discovered in OpenClaw AI Agent

Q: What are the main security vulnerabilities identified in OpenClaw?

Researchers found that OpenClaw is susceptible to prompt injection attacks, allowing malicious instructions embedded in shared contacts, vCards, and emails to execute unauthorized code or exfiltrate sensitive data without user knowledge.

Recent studies reveal that OpenClaw AI agent is vulnerable to prompt injection attacks, leading to unauthorized code execution and data leaks.

Published: June 11, 2026

Share this on:

Executive Summary

In June 2026, security researchers from Imperva and Varonis identified critical vulnerabilities in OpenClaw, a widely used self-hosted AI agent. Imperva demonstrated that attackers could embed malicious instructions within shared contacts, vCards, and location pins, leading the agent to execute unauthorized code without user awareness. Varonis revealed that OpenClaw could be manipulated through standard emails to exfiltrate sensitive data, such as AWS keys and customer information, to external addresses. These findings underscore the agent's susceptibility to prompt injection attacks and its overreliance on unverified inputs, posing significant security risks to users.

The rapid adoption of AI agents like OpenClaw has outpaced the development of robust security measures, highlighting the urgent need for comprehensive governance frameworks. Organizations must reassess their deployment strategies, implement stringent access controls, and ensure continuous monitoring to mitigate the risks associated with autonomous AI systems operating within their environments.

Why This Matters Now

The increasing integration of autonomous AI agents into critical business processes, coupled with their inherent security vulnerabilities, necessitates immediate attention to prevent potential data breaches and system compromises.

Attack Path Analysis

Attackers exploited a vulnerability in OpenClaw's URL handling to steal authentication tokens, gaining unauthorized access to the AI agent. They then disabled safety controls, allowing the execution of arbitrary commands on the host system. Using this access, attackers moved laterally to other systems within the network. They established a command and control channel to maintain persistent access. Sensitive data was exfiltrated from compromised systems. The attack culminated in significant data breaches and operational disruptions.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Medium

Command & Control

Medium

Exfiltration

High

Impact

High

Initial Compromise

Description

Attackers exploited a vulnerability in OpenClaw's URL handling to steal authentication tokens, gaining unauthorized access to the AI agent.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-25253
CVSS 8.8
A one-click remote code execution vulnerability in OpenClaw versions prior to 2026.2.10 allows unauthenticated attackers to execute arbitrary code on the host system.
Affected Products:
OpenClaw OpenClaw – < 2026.2.10
Exploit Status:
exploited in the wild
References:
https://clawdocs.org/security/overview/https://pocketclaw.dev/guides/openclaw-security-crisis-2026

MITRE ATT&CK® Techniques

Resource Development

T1588.007

Obtain Capabilities: Artificial Intelligence

Execution

T1203

Exploitation for Client Execution

Credential Access

T1056

Input Capture

Command and Control

T1071

Application Layer Protocol

Collection

T1005

Data from Local System

Exfiltration

T1020

Automated Exfiltration

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Ensure that security policies and operational procedures for identifying and responding to security vulnerabilities are documented, in use, and known to all affected parties.

Control ID: 6.4.3

The incident highlights a failure to identify and respond to security vulnerabilities in AI systems, indicating non-compliance with established security policies and procedures.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

Control ID: 500.03

The breach suggests inadequacies in the organization's cybersecurity policy, particularly in addressing AI-specific threats, leading to unauthorized code execution and data leakage.

DORA – ICT Risk Management Framework

Control ID: Article 5

The attack indicates deficiencies in the ICT risk management framework, especially concerning AI systems, resulting in operational disruptions and data breaches.

CISA ZTMM 2.0 – Data Security

Control ID: 3.1

The incident demonstrates a lapse in data security controls within the zero trust architecture, allowing sensitive information to be exfiltrated through manipulated AI agent inputs.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The breach reveals shortcomings in implementing appropriate cybersecurity risk management measures for AI systems, leading to unauthorized access and data leakage.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

AI agent vulnerabilities enable code execution through prompt injection, compromising software development environments and exposing proprietary code repositories.

Financial Services

OpenClaw AI agent attacks could leak sensitive financial data and execute unauthorized transactions, violating compliance frameworks and regulatory requirements.

Health Care / Life Sciences

AI agent prompt injection risks exposing patient records and medical research data, creating HIPAA violations and compromising healthcare operations.

Information Technology/IT

Self-hosted AI agents vulnerable to hidden instruction attacks threaten IT infrastructure security through unauthorized code execution and data exfiltration.

Sources

New Attacks Trick OpenClaw AI Agent Into Running Code and Leaking Secretshttps://thehackernews.com/2026/06/new-attacks-trick-openclaw-ai-agent.html
Verified

Over 40,000 OpenClaw agents vulnerablehttps://www.techzine.eu/news/security/138633/over-40000-openclaw-agents-vulnerable/

Verified

Running OpenClaw safely: identity, isolation, and runtime riskhttps://www.microsoft.com/en-us/security/blog/2026/02/19/running-openclaw-safely-identity-isolation-runtime-risk/

Verified

Frequently Asked Questions

Researchers found that OpenClaw is susceptible to prompt injection attacks, allowing malicious instructions embedded in shared contacts, vCards, and emails to execute unauthorized code or exfiltrate sensitive data without user knowledge.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-based access controls.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's unauthorized access to the AI agent could have been constrained, reducing the likelihood of further exploitation.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges and execute arbitrary commands could have been limited, reducing the potential impact.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement within the network could have been constrained, limiting their reach to other systems.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The establishment of command and control channels could have been limited, reducing the attacker's ability to maintain persistent access.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The exfiltration of sensitive data could have been constrained, limiting the amount of data accessed by the attacker.

Impact (Mitigations)

The overall impact of the attack could have been limited, reducing the extent of data breaches and operational disruptions.

Impact at a Glance

Affected Business Functions

Email Management
File Access
System Administration

Operational Disruption

Estimated downtime: 7 days

Financial Impact

Estimated loss: $500,000

Data Exposure

Potential exposure of sensitive business data, including emails, files, and system credentials.

Recommended Actions

• Implement Zero Trust Segmentation to restrict AI agents' access to critical systems.
• Enforce Egress Security & Policy Enforcement to monitor and control outbound traffic.
• Utilize Threat Detection & Anomaly Response to identify and respond to unusual activities.
• Apply Inline IPS (Suricata) to detect and prevent exploitation attempts.
• Regularly update and patch AI agent software to mitigate known vulnerabilities.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

Critical Security Flaws Discovered in OpenClaw AI Agent

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-25253

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Obtain Capabilities: Artificial Intelligence

Exploitation for Client Execution

Input Capture

Application Layer Protocol

Data from Local System

Automated Exfiltration

Potential Compliance Exposure

PCI DSS 4.0 – Ensure that security policies and operational procedures for identifying and responding to security vulnerabilities are documented, in use, and known to all affected parties.

NYDFS 23 NYCRR 500 – Cybersecurity Policy

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Data Security

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Computer Software/Engineering

Financial Services

Health Care / Life Sciences

Information Technology/IT

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads