[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"article-openclaw-flaw-exposes-ai-admin-hijack-risk-en":3,"tags-openclaw-flaw-exposes-ai-admin-hijack-risk-en":30,"related-lang-openclaw-flaw-exposes-ai-admin-hijack-risk-en":42,"related-posts-openclaw-flaw-exposes-ai-admin-hijack-risk-en":46,"series-blockchain-5101ffbf-7ea9-4baa-b5e2-64729ff55b20":83},{"id":4,"title":5,"content":6,"summary":7,"source":8,"source_url":9,"author":10,"image_url":11,"keywords":12,"language":18,"translated_content":10,"views":19,"is_premium":20,"created_at":21,"updated_at":21,"cover_image":11,"published_at":22,"rewrite_status":23,"rewrite_error":10,"rewritten_from_id":24,"slug":25,"category":26,"related_article_id":27,"status":28,"google_indexed_at":29,"x_posted_at":10,"tweet_text":10,"title_rewritten_at":10,"title_original":10,"key_takeaways":10,"topic_cluster_id":10,"embedding":10,"is_canonical_seed":20},"5101ffbf-7ea9-4baa-b5e2-64729ff55b20","Openclaw Flaw Exposes AI Admin Hijack Risk","\u003Cp>Openclaw has crossed a dangerous line: a framework built for local use is now running on more than 135,000 internet-exposed instances across 82 countries. Certik’s March 31 study says that shift has created an “unbounded” attack surface, with more than 100 CVEs and 280 security advisories in just four months.\u003C\u002Fp>\u003Cp>The headline issue is CVE-2026-25253, a critical flaw that can let an attacker seize full administrative control after a single malicious click. If that sounds familiar, it should: this is what happens when an AI tool gets promoted from hobby project to production system without the security model to match.\u003C\u002Fp>\u003Ch2>What Certik says went wrong\u003C\u002Fh2>\u003Cp>Certik’s report argues that Openclaw was designed around a “trusted local environment,” then got deployed in places it was never meant to live. Once users started putting it on public servers, the old assumptions broke down. Authentication was disabled by default in many deployments, and that left API keys, chat logs, and other sensitive data exposed in plaintext.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775058389575-b9pg.png\" alt=\"Openclaw Flaw Exposes AI Admin Hijack Risk\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>The study also says attackers have found multiple paths in: malicious extensions in the shared “skills” repository, prompt injection hidden in emails and webpages, and remote code execution flaws that were still present until version 2026.1.29. In other words, the problem is not one bug. It is a stack of weak points that line up too neatly.\u003C\u002Fp>\u003Cul>\u003Cli>More than 300,000 GitHub stars\u003C\u002Fli>\u003Cli>Over 100 CVEs in four months\u003C\u002Fli>\u003Cli>280 security advisories in four months\u003C\u002Fli>\u003Cli>135,000+ exposed instances across 82 countries\u003C\u002Fli>\u003Cli>Version 2026.1.29 or later patches known RCE flaws\u003C\u002Fli>\u003C\u002Ful>\u003Cp>That scale matters because AI agents are different from normal web apps. They read content, act on it, and often inherit permissions that would be far too risky for a human script. When a tool has access to tokens, files, browser sessions, and subprocesses, one small failure can turn into a full compromise.\u003C\u002Fp>\u003Ch2>Why the quote matters\u003C\u002Fh2>\u003Cp>Security teams have been warning for years that agentic AI changes the threat model, but this report puts hard numbers behind that warning. The most useful quote in the study is from a lead auditor at Penligent, who explained why the blast radius gets so large when an AI system is allowed to operate inside real environments.\u003C\u002Fp>\u003Cblockquote>“Openclaw has become a case study in what happens when large language models stop being isolated chat systems and start acting inside real environments,” said a lead auditor from Penligent. “It aggregates classic software defects into a runtime with high delegated authority, making the blast radius of any single bug massive.”\u003C\u002Fblockquote>\u003Cp>That wording is blunt, and it should be. The issue is not that Openclaw is “AI” in a vague sense. The issue is delegated authority. Once an AI agent can touch files, tokens, and network resources, every parser bug, extension flaw, and prompt injection trick becomes more valuable to an attacker.\u003C\u002Fp>\u003Cp>\u003Ca href=\"https:\u002F\u002Fwww.certik.com\u002F\" target=\"_blank\" rel=\"noopener\">Certik\u003C\u002Fa> says the platform’s “skills” ecosystem has already been contaminated with malware. Researchers found hundreds of extensions bundling infostealers aimed at saved passwords and crypto wallets. That is the kind of detail that turns a software bug into a direct financial risk.\u003C\u002Fp>\u003Ch2>How Openclaw compares with other AI tools\u003C\u002Fh2>\u003Cp>Openclaw’s security trouble is more severe than the average AI app headache because of how much authority it hands to the runtime. Compare that with a typical chat product, where the main risk is data leakage through prompts or logs. Here, the agent can be tricked into acting on content from emails, pages, and add-ons that look harmless at first glance.\u003C\u002Fp>\n\u003Cfigure class=\"my-6\">\u003Cimg src=\"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775058411015-s188.png\" alt=\"Openclaw Flaw Exposes AI Admin Hijack Risk\" class=\"rounded-xl w-full\" loading=\"lazy\" \u002F>\u003C\u002Ffigure>\n\u003Cp>The comparison also gets sharper when you look at the deployment numbers. A tool with 300,000 GitHub stars and 135,000 exposed instances is no niche utility. It is infrastructure. That means a flaw like CVE-2026-25253 is not a theoretical issue for a small user base; it is a mass-exposure problem.\u003C\u002Fp>\u003Cul>\u003Cli>\u003Ca href=\"https:\u002F\u002Fopenai.com\u002F\" target=\"_blank\" rel=\"noopener\">OpenAI\u003C\u002Fa> chat products usually keep tighter control over execution paths than agent frameworks with plugin ecosystems\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fgithub.com\u002Fanthropics\u002Fclaude-code\" target=\"_blank\" rel=\"noopener\">Claude Code\u003C\u002Fa> and similar developer agents still depend on local permissions, but they do not inherit safety from the environment by default\u003C\u002Fli>\u003Cli>\u003Ca href=\"https:\u002F\u002Fwww.virustotal.com\u002F\" target=\"_blank\" rel=\"noopener\">VirusTotal\u003C\u002Fa> integration can help scan uploaded files, but it does not stop prompt injection or privilege abuse\u003C\u002Fli>\u003Cli>Openclaw’s reported 100+ CVEs in four months is a much denser stream of security issues than most mature developer tools face in the same window\u003C\u002Fli>\u003C\u002Ful>\u003Cp>Openclaw’s developers did partner with VirusTotal to scan uploaded skills, but Certik says that is not enough on its own. That makes sense. File scanning can catch known malware, yet it will not stop a malicious instruction hidden in a webpage from steering an agent into exfiltrating data or running commands it should never see.\u003C\u002Fp>\u003Cp>For readers tracking the broader AI security story, this fits a pattern we have seen across agent tooling: the more autonomy you give the system, the more you need hard permission boundaries. We covered a similar risk pattern in our recent piece on agent permissions in \u003Ca href=\"\u002Fnews\u002Fai-agents-need-stricter-permissions\">AI agents and permission control\u003C\u002Fa>.\u003C\u002Fp>\u003Ch2>What users and enterprises should do now\u003C\u002Fh2>\u003Cp>Certik’s recommendations are practical, and they are more useful than generic “be careful” advice. Developers should define a threat model from day one, keep subprocesses on low-privilege immutable permissions, and isolate the agent in a sandbox that cannot reach production data. If that sounds strict, it is because the software is already being treated as a target.\u003C\u002Fp>\u003Cp>Enterprise teams need to do inventory work, too. The report urges security groups to use endpoint detection and response tools to find unauthorized Openclaw installs inside corporate networks. That matters because shadow deployments are the easiest way for a risky AI tool to slip past central controls.\u003C\u002Fp>\u003Cp>Individual users should update to version 2026.1.29 or later, run the tool only in sandboxed environments, and avoid connecting it to sensitive tokens or wallets. If a workflow needs browser access, file access, and network access all at once, that workflow deserves a second look before it goes live.\u003C\u002Fp>\u003Cp>One more point is worth stressing: treating Openclaw as trusted by default is the wrong move right now. Until the project’s security model catches up with its scale, the safest assumption is that every extension, prompt, and exposed endpoint can be hostile.\u003C\u002Fp>\u003Ch2>Openclaw’s real test is still ahead\u003C\u002Fh2>\u003Cp>Openclaw’s popularity gave it reach before it earned trust, and that mismatch is the core story here. A framework with 300,000 stars can look mature from the outside while still carrying a pile of assumptions that fail the moment it hits the public internet.\u003C\u002Fp>\u003Cp>My read is simple: the next big AI security incident will probably not come from the model itself, but from the agent wrapper around it. If Openclaw’s developers cannot shrink the attack surface fast, expect stricter defaults, more corporate bans, and a lot more security tooling built around AI runtimes rather than the models inside them.\u003C\u002Fp>","Certik says Openclaw’s flaws expose 135,000+ instances, token theft, and admin takeover risk, with CVE-2026-25253 leading the list.","news.bitcoin.com","https:\u002F\u002Fnews.bitcoin.com\u002Fstudy-critical-exploit-in-openclaw-allows-full-administrative-hijacking\u002F",null,"https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1775058389575-b9pg.png",[13,14,15,16,17],"Openclaw","AI security","CVE-2026-25253","prompt injection","Certik","en",0,false,"2026-04-01T13:12:33.481569+00:00","2026-04-01T13:12:33.455+00:00","done","05c3e021-81d8-432f-a705-f3442f4ca860","openclaw-flaw-exposes-ai-admin-hijack-risk-en","blockchain","5be6da8c-feca-4b54-8f27-511da98480b9","published","2026-04-09T09:00:53.375+00:00",[31,33,35,38,40],{"name":14,"slug":32},"ai-security",{"name":15,"slug":34},"cve-2026-25253",{"name":36,"slug":37},"OpenClaw","openclaw",{"name":16,"slug":39},"prompt-injection",{"name":17,"slug":41},"certik",{"id":27,"slug":43,"title":44,"language":45},"openclaw-flaw-exposes-ai-admin-hijack-risk-zh","Openclaw 漏洞揭露 AI 管理風險","zh",[47,53,59,65,71,77],{"id":48,"slug":49,"title":50,"cover_image":51,"image_url":51,"created_at":52,"category":26},"4fff2f0d-27be-4693-8ef1-6b9e94dd53d1","web3-communication-trust-infrastructure-2026-en","Web3 Communication Is Becoming Trust Infrastructure","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778797253042-oimi.png","2026-05-14T22:20:33.794426+00:00",{"id":54,"slug":55,"title":56,"cover_image":57,"image_url":57,"created_at":58,"category":26},"261f5f0f-f863-404d-be2c-1064e6c05eb9","why-bases-x402-protocol-matters-more-than-100m-en","Why Base’s x402 Protocol Matters More Than the $100M Milestone","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778719246895-99at.png","2026-05-14T00:40:21.084384+00:00",{"id":60,"slug":61,"title":62,"cover_image":63,"image_url":63,"created_at":64,"category":26},"debaea26-43fa-48ad-aefc-cb515fa88566","gala-games-web3-gaming-2026-en","Gala Games Finds New Life in Web3 Gaming","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778689263380-q9x0.png","2026-05-13T16:20:43.068732+00:00",{"id":66,"slug":67,"title":68,"cover_image":69,"image_url":69,"created_at":70,"category":26},"6b939445-f4a4-474a-a85f-54a05f4e2f9a","why-lace-20-matters-more-than-cardanos-next-hard-fork-en","Why Lace 2.0 Matters More Than Cardano’s Next Hard Fork","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778681473377-lu3q.png","2026-05-13T14:10:26.725967+00:00",{"id":72,"slug":73,"title":74,"cover_image":75,"image_url":75,"created_at":76,"category":26},"4b1b1e76-b825-4011-b108-eb3da0bd5e2e","why-ethereum-treasury-buying-is-a-bad-bet-en","Why Ethereum Treasury Buying Is Becoming a Bad Long-Term Bet","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778386242176-tk04.png","2026-05-10T04:10:22.329255+00:00",{"id":78,"slug":79,"title":80,"cover_image":81,"image_url":81,"created_at":82,"category":26},"9bbe48b2-19ad-4bbf-bb20-af02e7d15a03","yakovenko-warns-ai-could-crack-pqc-wallets-en","Yakovenko Warns AI Could Crack PQC Wallets","https:\u002F\u002Fxxdpdyhzhpamafnrdkyq.supabase.co\u002Fstorage\u002Fv1\u002Fobject\u002Fpublic\u002Fcovers\u002Finline-1778170258841-108q.png","2026-05-07T16:10:42.813868+00:00",[84,89,94,99,100,105,110,115,120,125],{"id":85,"slug":86,"title":87,"created_at":88},"cdf2780b-1da6-4aca-a87b-f0974b815b03","moonpay-open-wallet-standard-ai-payments-en","MoonPay's Open Wallet Standard Targets AI Payments","2026-03-28T03:08:33.547032+00:00",{"id":90,"slug":91,"title":92,"created_at":93},"f06da3a4-3b15-4c7b-a250-6077505f5119","next-gen-crypto-simulators-ai-web3-training-en","Next-Gen Crypto Simulators Are Getting Smarter","2026-04-01T09:36:34.200192+00:00",{"id":95,"slug":96,"title":97,"created_at":98},"0794f597-b908-402a-b660-729034ffdbf6","rtk-cuts-claude-code-token-spend-en","RTK cuts Claude Code token spend fast","2026-04-01T10:24:29.50277+00:00",{"id":4,"slug":25,"title":5,"created_at":21},{"id":101,"slug":102,"title":103,"created_at":104},"fadea65e-f7c8-41b0-a186-809d21787b4c","how-web3-marketing-changed-in-2026-en","How Web3 Marketing Changed in 2026","2026-04-02T01:36:36.504086+00:00",{"id":106,"slug":107,"title":108,"created_at":109},"88f88741-ff27-41d1-8151-776d0afb9508","ai-agentic-defi-web3-grants-march-2026-en","AI, Agentic DeFi, and Web3 Grants to Watch","2026-04-02T05:51:37.696422+00:00",{"id":111,"slug":112,"title":113,"created_at":114},"43fafe43-772e-48c8-bb95-da8d64cf60e3","why-crypto-is-fixated-on-ai-agents-en","Why Crypto Is Fixated on AI Agents","2026-04-02T05:54:29.121481+00:00",{"id":116,"slug":117,"title":118,"created_at":119},"320ef5e4-fe56-47ab-9a92-290d6fbd3f60","web3-explained-what-it-is-why-it-matters-en","Web3 Explained: What It Is and Why It Matters","2026-04-02T06:15:33.001112+00:00",{"id":121,"slug":122,"title":123,"created_at":124},"f49cffaf-2c57-4f48-9486-7062cca91ba0","trust-wallet-ai-trading-agents-220m-users-en","Trust Wallet Adds AI Trading Agents for 220M Users","2026-04-02T06:24:28.043029+00:00",{"id":126,"slug":127,"title":128,"created_at":129},"2b8501e2-39af-4de3-ade1-29616a58e9fb","trust-wallet-agent-kit-ai-trade-25-chains-en","Trust Wallet's Agent Kit Lets AI Trade on 25+ Chains","2026-04-02T06:27:33.425312+00:00"]