Takeover-enabling flaws in the popular self-hosted AI agent OpenClaw, plus no-login impersonation in its checker: CVE-2026-62241 and 9 more — update now
A wave of vulnerabilities has hit OpenClaw, the popular self-hosted AI agent used worldwide, letting people do things they shouldn't. Its companion security-checking tool has a critical (9.1) flaw allowing user impersonation with no login. Fixed versions are out: update OpenClaw to 2026.6.9+ and the checker to 0.7.5+. Here are the affected products and how to fix them.
Table of contents
A wave of vulnerabilities has hit OpenClaw, the popular self-hosted AI agent used worldwide, letting people do things they shouldn't. Its companion security-checking tool has a critical (9.1) flaw allowing user impersonation with no login. Fixed versions are out: update OpenClaw to 2026.6.9+ and the checker to 0.7.5+. Here are the affected products and how to fix them.
A wave of vulnerabilities has been disclosed in OpenClaw, the wildly popular tool that lets you hand tasks to an AI just by chatting with it. The flaws let people do things they were never supposed to be able to do. On top of that, "clawvet" — a companion tool that checks OpenClaw add-ons for safety — has a critical (CVSS 9.1) flaw that lets someone impersonate another user without logging in at all. In total, ten issues were published together: nine in OpenClaw itself and one in clawvet. All of them fall between 8.5 and 9.1 on the CVSS severity scale (higher is worse, out of 10).
OpenClaw has passed 370,000 GitHub stars and is reportedly used by several million people a month, making it one of the hottest AI agents (systems that carry out tasks on your behalf) around right now. Many people run it on their own PC or server, including in Japan, where "controlling your AI from LINE" guides are common. The good news is that fixed versions are already out, so the fix is just a software update. Below we walk through what happened, how dangerous each flaw is, and which version to upgrade to.
The key points (3 lines)
- OpenClaw, a popular AI agent, has nine flaws that let someone gain more power than they should. The companion tool clawvet has one critical (9.1) flaw that allows takeover with no login.
- Affected are people who run OpenClaw / clawvet themselves. As of now there are no reports of real-world attacks and nothing is on the U.S. government's list of actively exploited flaws.
- Update OpenClaw to 2026.6.9 or later and clawvet to 0.7.5 or later to be safe. Don't leave it unpatched.
What is OpenClaw, exactly?
OpenClaw is an AI agent you run on your own PC or server. When you talk to it from an everyday chat app such as LINE, Slack, Discord, or Telegram, an AI works behind the scenes to actually run commands and handle files to get your task done. It was built by Peter Steinberger, known for his Mac development work. After launching in early 2026 it spread fast, and its GitHub star count topped 370,000 — briefly overtaking React as one of the most-starred projects.
Interest in Japan is high too, with many write-ups like "I let OpenClaw operate my Mac from LINE" and LINE integration setup guides. It may look casual, but under the hood it means "handing an AI the power to run commands on your own device." That is exactly why a gap at the boundary of that power matters so much.
The other tool, clawvet, checks whether add-ons ("skills") you bolt onto OpenClaw are safe before you install them. OpenClaw's add-on marketplace has had malicious components slip in before, and clawvet exists as a countermeasure. This time, the most severe flaw was found in that checking tool itself.
What's the problem?
The nine flaws in OpenClaw itself are, roughly, cases where "someone who should only have limited power can go past that limit and take actions they shouldn't." In technical terms these are privilege escalation (a low-privilege party quietly gaining stronger rights) and authorization bypass (slipping past a permission check).
Concretely, a low-privilege caller could reach admin-only features, could approve device pairing (linking a device) without permission, or could slip past the allowlist check for which commands may run. Because OpenClaw actually executes commands through an AI, this kind of gap edges toward "a party with only a narrow entry point being able to operate the device itself." Most of these assume the attacker first has some form of access to that OpenClaw instance — it is not something just anyone can exploit out of nowhere.
The clawvet flaw (CVE-2026-62241) is different in nature and more dangerous. clawvet shipped with a secret meant to prove login status (a kind of password) hard-coded as a default that anyone can read. Using that shared secret, an outsider who hasn't logged in can impersonate other users and read their registration details and API keys (the keys used to connect to external services). That's why its severity, 9.1, is the highest of the batch.
These also warrant attention because they are open-source software distributed widely via npm (the registry where program components are shared). Because so many people pull in the same components, the blast radius is hard to gauge. How to find and fix flaws in that distribution path is something we also cover in our guide to risks hiding in open-source components.
Who would target this, and why?
For the nine OpenClaw flaws, the party to worry about is someone who is already connected to that OpenClaw instance in some form — through a linked chat or an invitation. Think less "a total outsider all at once" and more a participant who was given only limited rights, or someone who slipped into the integration.
Using these gaps, that party would push through admin-level commands or device-linking approvals they were never authorized for, and ultimately try to operate the very PC or server OpenClaw runs on. An AI agent, when asked, reads and writes files, communicates externally, and runs commands. Hijacking that executor gives an attacker "a foothold to do anything on the target's device."
The damage varies by who you are. For an individual user, files on the device and the keys to the various services registered in OpenClaw could be stolen, becoming a springboard to other services. If you run it at a company or organization, it could serve as an entry point into your internal network. As for the clawvet flaw, because an outside third party can impersonate a user with no login, information entrusted to the checking tool could leak directly. That is why updating to the fixed versions below is urgent.
The full list of flaws (most severe first)
Here are the ten issues published together, ordered by severity. All were coordinated and disclosed by VulnCheck, a vulnerability intelligence provider.
| CVE ID | Target | Issue | Severity | Fixed in |
|---|---|---|---|---|
| CVE-2026-62241 | clawvet | Impersonation with no login (hard-coded secret) | 9.1 (Critical) | 0.7.5 |
| CVE-2026-62202 | OpenClaw | Privilege escalation via scheduled jobs | 8.8 (High) | 2026.6.9 |
| CVE-2026-62203 | OpenClaw | Command execution via env-var injection | 8.8 (High) | 2026.6.6 |
| CVE-2026-62207 | OpenClaw | Authorization bypass to admin-only features | 8.8 (High) | 2026.6.5 |
| CVE-2026-62228 | OpenClaw | Authorization bypass in exec approvals (node) | 8.8 (High) | 2026.6.5 |
| CVE-2026-62217 | OpenClaw | Exec-approval authz flaw in QQ integration | 8.8 (High) | 2026.5.27 |
| CVE-2026-62218 | OpenClaw | Authorization bypass in device-pair approval | 8.8 (High) | 2026.5.27 |
| CVE-2026-62223 | OpenClaw | Device-pair approval bypass (separate path) | 8.8 (High) | 2026.5.18 |
| CVE-2026-62229 | OpenClaw | Exec allowlist matching bypass | 8.8 (High) | 2026.5.18 |
| CVE-2026-62226 | OpenClaw | Internal request forgery via browser control (SSRF) | 8.5 (High) | 2026.5.19 |
CVE-2026-62241: no-login impersonation in the checker clawvet (9.1)
This is the most dangerous of the batch. clawvet's server component (apps/api) shipped with the secret that proves login status hard-coded as the readable default value "clawvet-dev-secret-change-me." An attacker can harvest user IDs from an open endpoint and, with this shared secret, forge a valid login proof. As a result, they can impersonate others with no login and read their email addresses, subscription details, and API keys used to connect to external services. The vendor advisory directs users to update to the fixed version, 0.7.5.
CVE-2026-62202: privilege grab via scheduled jobs (8.8)
A privilege escalation tied to OpenClaw's scheduled execution (cron — running tasks automatically at set times). A party with only low privileges can, through this mechanism, get tasks run with stronger rights than intended. Per VulnCheck's advisory, the fix landed in 2026.6.9.
CVE-2026-62203: command execution via env-var injection (8.8)
When OpenClaw runs a program on the device, environment variables (settings that shape how a program behaves) can be injected from the outside. Abused, this can cause unintended commands to run. The fixed version is 2026.6.6.
CVE-2026-62207 / CVE-2026-62228: authorization bypass to admin features and exec approvals (8.8)
CVE-2026-62207 lets a low-privilege caller use features that should be admin-only. CVE-2026-62228 is the same class of bypass, in command-execution approvals on the node side. Both are fixed in 2026.6.5.
CVE-2026-62217: exec-approval flaw in QQ integration (8.8)
In the integration with QQ (a chat app widely used in China, via QQBot), the approval check for running commands can be bypassed. The fixed version is 2026.5.27.
CVE-2026-62218 / CVE-2026-62223: device-pair approval bypass (8.8)
Approval when linking a device (device pair approve) can be pushed through without the proper rights. There are two issues via different paths: 62218 is fixed in 2026.5.27 and 62223 in 2026.5.18. If pairing approval is hijacked, an attacker's device could be slipped in as a legitimate linked endpoint.
CVE-2026-62229: exec allowlist matching bypass (8.8)
The matching (wildcard/glob matching) in the allowlist that narrows which commands may run is flawed, letting an unexpected path through. It is classified as a path-handling flaw (path traversal). Per VulnCheck's advisory, the fixed version is 2026.5.18.
CVE-2026-62226: internal request forgery via browser control (SSRF, 8.5)
In OpenClaw's browser-control feature (the act route), the current-tab URL check can be bypassed to make it send traffic to internal servers or destinations it shouldn't reach. Attacks that make a server issue requests to arbitrary destinations are called SSRF (server-side request forgery). Because the impact can reach beyond its own scope, the severity is 8.5. The fixed version is 2026.5.19.
Affected versions and fixes
The nine OpenClaw flaws were each fixed in different versions. But you don't have to check them one by one: updating to 2026.6.9 or later covers all nine. For clawvet, 0.7.5 or later is the fixed version. The table below sums up the guidance per product.
| Product | Affected versions | Update to | Action |
|---|---|---|---|
| OpenClaw | Before 2026.6.9 (if using the affected features) | 2026.6.9 or later | Update clears all 9 |
| clawvet | Before 0.7.5 | 0.7.5 or later | Also change the embedded secret |
OpenClaw is distributed via npm, and the versions with fixes can be confirmed in the official CHANGELOG. For clawvet, you are also advised to replace the default secret (password) that was left in place with one of your own after updating. Simply updating isn't enough — unless you actually swap the value, the risk of continuing to use the same secret remains.
What to do right now
If you run OpenClaw or clawvet yourself, first check the version you're running. If OpenClaw is 2026.6.9 or later and clawvet is 0.7.5 or later, these flaws are already resolved. If it's older, updating to the latest is the top priority.
Until you update — or as a precaution anyway — it also helps to keep OpenClaw out of direct reach from the outside. In practice: don't expose it directly to the internet, limit it to chat integrations you trust, and never approve pairing requests you don't recognize. For clawvet, be sure to change the secret still sitting at its default value to one of your own.
None of the ten issues have any reports of actual exploitation, nor are they on the "known exploited vulnerabilities (KEV)" list published by the U.S. agency CISA. No proof-of-concept exploit code has been observed either. That said, an AI agent is a powerful mechanism that can operate a device directly, so being targeted can lead to serious damage. With fixed versions all available now, it's safest to update while you can. You can check whether real-world attacks have begun on our tracker of actively exploited vulnerabilities.
A separate product's flaw disclosed the same day
Note that on the same day as these ten OpenClaw-related issues, VulnCheck also disclosed one flaw in a different piece of software. It's a privilege-escalation flaw in the API extension (grav-plugin-api) of the website-building tool "Grav" (CVE-2026-62233, severity 8.8), fixed in 1.0.6. The nearby CVE number makes it easy to confuse, but it is a separate product unrelated to OpenClaw. Update it only if you use Grav.
Summary
OpenClaw, the most talked-about AI agent right now, has nine flaws that let someone gain more power than they should, and its companion checking tool clawvet has one critical (9.1) flaw allowing no-login impersonation. Precisely because OpenClaw can operate a device directly, a gap at the boundary of that power is no small matter.
The saving grace is that fixed versions are already in place. Updating OpenClaw to 2026.6.9 or later and clawvet to 0.7.5 or later resolves all ten. For clawvet, don't forget to swap out the embedded secret. There are no reports of real attacks yet, but tools that hand an AI the power to run commands carry heavy consequences when hijacked. If you run one yourself, updating sooner rather than later is the way to go.
Sources
- â–¸ NVD - CVE-2026-62241 (clawvet no-login impersonation)
- â–¸ GitHub Security Advisory - clawvet (GHSA-9mww-p953-jfc9)
- â–¸ VulnCheck - clawvet hard-coded JWT secret / session forgery
- â–¸ VulnCheck - OpenClaw privilege escalation via cron (CVE-2026-62202)
- â–¸ VulnCheck - OpenClaw authentication bypass via admin tools (CVE-2026-62207)
- â–¸ VulnCheck - OpenClaw authorization bypass via browser act route (CVE-2026-62226)
- â–¸ VulnCheck - OpenClaw authorization bypass via glob matching (CVE-2026-62229)
- â–¸ OpenClaw - CHANGELOG (list of fixed versions)
- â–¸ OpenClaw - GitHub repository
- â–¸ NVD - CVE-2026-62233 (Grav grav-plugin-api, separate product)

Makoto Horikawa
Backend Engineer / AWS / Django