A CVSS 9.9 remote-code-execution vulnerability combined with 341 malicious ClawHub marketplace skills exposed 40,000+ OpenClaw instances, with 12,800 directly exploitable and 78% of deployments still unpatched weeks after the fix shipped.
Security researchers disclosed a near-maximum CVSS 9.9 RCE vulnerability in the OpenClaw gateway component, simultaneously revealing that 341 malicious skills had been uploaded to ClawHub — several masquerading as legitimate crypto-wallet and market tools. Of the 40,000+ internet-exposed OpenClaw instances, 12,800 were directly vulnerable to RCE. Even after patches shipped, adoption was slow: 78% of deployments remained unpatched weeks later, leaving a massive window for exploitation. The intersection of high-value crypto workflows (treasury automation, launch coordination) with a trivially exploitable flaw made this the most severe single-day disclosure in OpenClaw's history.
AFFECTED USERS: ~40,000
The Actual Culprit
The gateway trusted un-authenticated introspection endpoints on the same origin, enabling trivial RCE when combined with a recently added skill-loader API. The marketplace had no signing, staleness, or behavioral checks on uploaded skills.
Any AI-agent marketplace without cryptographic signing, upload review, and behavioral sandboxing is effectively a supply-chain attack surface. Download count alone is a trust signal that can be gamed.
When 78% of the fleet stays on vulnerable versions after 3 weeks, your release channel is broken. Silent auto-upgrade with rollback must be the default for security-critical components.
Treating same-origin or localhost connections as implicitly trusted is a design error in every era, doubly so when browsers can be weaponized to reach it.
Loading comments...