This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
nightpool 2 hours ago [-]
Can you speak a little bit more to the stats in the OP?
* 135k+ OpenClaw instances are publicly exposed
* 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
Is this accurate? This is definitely a very different picture then the one you paint
rossjudson 1 hours ago [-]
With respect...Security through obscurity is dead. We are approaching the point where only formally verified (for security) systems can be trusted. Every possible attack will be attempted. Every opening will be exploited, and every useful combination of those exploits will be done.
LLMs are patient, tireless, capable of rigorous opsec, and effectively infinite in number.
rybosome 51 minutes ago [-]
According to this[1] your statement that practical risk was low is not accurate.
> The attacker acquires an account or session with operator.pairing scope. On the 63% of exposed OpenClaw instances running without authentication, this step requires no credentials at all — the attacker connects and is assigned base pairing rights.
If that's accurate, then this statement:
> This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
...is only true for the 37% of authenticated OpenClaw instances.
I'm sure it's extremely stressful and embarrassing to face the prospect that your work created a widespread, significant vulnerability. As another software engineer and a human I empathize with the discomfort of that position. But respectfully, you should put your energy into addressing this and communicating honestly about what happened and the severity, not in attempting to save face and PR damage control. You will be remembered much better for the former.
EDIT: more from the source[2]
> The problem: 63% of the 135,000+ publicly exposed OpenClaw instances run without any authentication layer, according to a 2026 security researcher scan. On these deployments, any network visitor can request pairing access and obtain operator.pairing scope without providing a username or password. The authentication gate that is supposed to slow down CVE-2026-33579 does not exist.
> This is the intersection that makes this vulnerability particularly dangerous in practice. The CVSS vector already rates it PR:L (Privileges Required: Low) rather than PR:N — but on 63% of deployed instances, "low privilege" is functionally equivalent to "no privilege."
I guess this is the era of no shame. I know people should realize this project is inherently insecure and that it’s likely you will get hacked if you use it. But why is the creator not even taking any accountability whatsoever —- especially after all the bragging he’s done about shipping fast and not reading any of the code his agents generate?
LucidLynx 1 hours ago [-]
About time to read the code you ship now...
just_once 1 hours ago [-]
Nvidia, ByteDance, Tencent and OpenAI?! Wow!
hmokiguess 1 hours ago [-]
Who are you replying to? The tone of your message seems to indicate you want to address some misinformation, but that isn't found here or in OP's link.
Did OpenClaw write this for you?
popalchemist 2 hours ago [-]
The level of seriousness of your attitude here is not commensurate to the blatant security problem you are creating in the world.
mvdtnz 2 hours ago [-]
What does Telegram/Discord have to do with anything? The OP never mentioned either of these software suites. In fact the only mention of Telegram anywhere in the entire thread is you copy-pasting this exact message.
I don't use OpenClaw, but I still run my Claude Code and Codex as limited macOS user accounts and just have a script `become-agent <name> [cmd ...]` that does some sudo stuff to run as the limited user so they don't have any of my environment or directory access, or really any system-level admin access at all. They can use and write to their home directories as usual, which makes things easier to configure since those CLI harnesses really like when $HOME is configured and works as expected.
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
w10-1 2 hours ago [-]
Yes, if/since that user have no access to your apple id and keychain...
Not too much harder is using a VM:
With Apple's open-source container tool, you can spin up a linux container vm in ~100ms. (No docker root)
With Apple virtualization framework, you can run macOS in a VM (with a separate apple id).
petcat 2 hours ago [-]
> Yes, if/since that user have no access to your apple id and keychain...
Right, these are system accounts. They don't have access to anything except their own home folder and whatever I put in their .bashrc. `sudo` is a pretty easy sandbox by itself and lets me manage their home folders, shell, and environment easily just with the typical Unix-isms. No need for mounting VM disks, persisting disk images, etc.
I don't need virtualization to let Claude Code run. I just let it run as a "claude" user.
sva_ 4 hours ago [-]
> 4. System grants admin because it never checks if you are authorized to grant admin
Shipping at the speed of inference for real.
niwtsol 3 hours ago [-]
Title is a bit misleading, no? You have to have openclaw running on an open box. And the post even says "135k open instances" out of 500k running instances? so a bit clickbait-y
0cf8612b2e1e 3 hours ago [-]
1/5 rounds to “probably” when discussing security.
nickthegreek 3 hours ago [-]
The 135k number appears to be pulled out of thin air? No idea where the 65% comes from. The command the post gives to list paired devices isn't correct. These are red flags.
TZubiri 58 minutes ago [-]
It's pretty reasonable though, a lot of OpenClaw instances are hosted on a VPS, this is not unsafe.
My interpretation is that 135k instances are vulnerable, but of those there's more conditions that need to be met, specifically:
These need to be multi-user systems where there are users with 'basic pairing' privileges. Which I don't think is very common, most instances are single-user.
So way less than the 135k number. I think a more accurate title would have been "If you're running OpenClaw, you are probably vulnerable" but not "you probably got hacked", that's just outright false and there's no evidence that the exposed users were ALL hacked.
mey 3 hours ago [-]
More than 25% of users seems like a pretty accurate "probably".
DrewADesign 3 hours ago [-]
You know you’re getting into zealot territory when people are arguing semantics over the headline pointing to a zero authentication admin access vulnerability CVE that affects a double-digit percentage of users.
earnesti 3 hours ago [-]
Does it really? Digging up the data from example the 135k instances in the open reeks like bullshit, I would suspect several other claims are exaggerated as well.
DrewADesign 3 hours ago [-]
> Digging up the data from example the 135k instances in the open reeks like bullshit, I would suspect several other claims are exaggerated as well.
Do you so stringently examine most CVEs? I’ll bet you don’t. Are you a big fan of this project? I’ll bet you are. Do you have any actual data to counter what they said or do you just sort of generally not vibe with it? If so, now would be a great time to break it out while this is still fresh. If not…
nickthegreek 2 hours ago [-]
They are pointing out the data provided does not appear to be real. There is no credible link to this 135k number. They do not need to provide a number, as one does not appear to exist.
DrewADesign 29 minutes ago [-]
Well the post was removed so that’s not very promising on their part.
peacebeard 3 hours ago [-]
Today I learned nobody agrees on what the word "probably" means.
SequoiaHope 3 hours ago [-]
Ya I thought it meant “more probable than not” ie 50+%.
Otherwise I would say “you may have been hacked” not “you probably have been hacked”.
lwansbrough 3 hours ago [-]
That is what it means. Unless you're losing an argument on the internet and you need a word to hide behind. ;)
zephen 3 hours ago [-]
You're probably right.
furyofantares 3 hours ago [-]
Here's a statement that's about 3x as true then:
If you're running OpenClaw, you probably didn't get hacked in the last week.
yonatan8070 1 hours ago [-]
This sounds like a classic case of "35% of statistics are made up"
earnesti 3 hours ago [-]
The 135k instances is likely not true at all.
DrewADesign 3 hours ago [-]
It’s also only 65% of those that have zero authentication configured, according to that post (which I have done nothing to confirm or challenge at all… Frankly I wouldn’t touch OpenClaw with a ten foot… cable?) That said, I think it’s far more important to get people’s attention who might otherwise not realize how closely they need to pay attention to CVEs than it is to avoid hyperbole in headlines.
codechicago277 3 hours ago [-]
Not if this is crying wolf and causing those same people to ignore the very real security risks with using OpenClaw.
DrewADesign 3 hours ago [-]
How is 20% of users getting pwned ”crying wolf” by any reasonable measure? This is a zero authentication admin access vulnerability.
codechicago277 1 hours ago [-]
Because 20% is not “probably got hacked” and overstates the problem for most users.
That doesn’t mean this isn’t a critical vulnerability, and I think it’s insane to run OpenClaw in its current state. But the current headline will burn your credibility, because 80% of users will be fine with no action, and they’ll take future security issues less seriously as a result.
nickthegreek 1 hours ago [-]
All the numbers you are using appear to be made up by the reddit poster. I say that as they provided no citation to them (for all I know they got them from an AI). I attempted to verify any of the numbers he used and could not. By exaggerating the numbers he is crying wolf.
DrewADesign 29 minutes ago [-]
Well the post was removed so it doesn’t lend a lot of support to their claims.
neya 3 hours ago [-]
Someone has to say this, but - If you still continued to use OpenClaw despite multiple top news sites explaining the scope of the previous hacks and why you shouldn't use it, you probably deserved to get hacked
2 hours ago [-]
pezo1919 2 hours ago [-]
“It’s OK to be hacked until everyone is getting hacked.”
sunaookami 3 hours ago [-]
Honest question: What do people actually USE OpenClaw for? The most common usage seems to be "it reads your emails!", that's the exact opposite of "exciting"...
sgillen 2 hours ago [-]
I've only been playing with it recently ... I have mine scraping for SF city meetings that I can attend and public comment to advocate for more housing etc (https://github.com/sgillen/sf-civic-digest).
It also have mine automatically grabs a spot at my gym when spots are released because I always forget.
I'm just playing with it, it's been fun! It's all on a VM in the cloud and I assume it could get pwned at any time but the blast radius would be small.
gruez 2 hours ago [-]
>It also have mine automatically grabs a spot at my gym when spots are released because I always forget.
seems far more efficient/reliable to get codex/claude code to write and set up a bot that does this.
Sargos 1 hours ago [-]
>set up a bot that does this
But he already did this. With a bonus of it will continue to work in the future if something breaks or changes. Human time is more precious than computing resources nowadays.
mvdtnz 2 hours ago [-]
[flagged]
gruez 2 hours ago [-]
No? The comment was admittedly ambiguous but if you go to repo it's far clearer:
>I use it to give me a weekly digest of what happened in my neighborhood and if there are any public hearings or trash pickups I might want to attend.
WhrRTheBaboons 2 hours ago [-]
that does not seem like something you need an 'autonomous' agent for.
Sohcahtoa82 2 hours ago [-]
What would you propose as an alternative?
Anything not relying on an LLM likely means having to write bespoke scripts. That's not really worth the time, especially when you want summaries and not having to skim things yourself.
Going from doing it manually on a regular basis to an autonomous agent turns a frequent 5-15 minute task into a 30 second one.
mvdtnz 2 hours ago [-]
> Anything not relying on an LLM likely means having to write bespoke scripts.
The very first line in your readme is "CivicClaw is a set of scripts and prompts" though? And almost the entire repo is a bunch of python scripts under a /scripts folder.
Parent isn't saying that bespoke scripts are bad, just that it's not worth their time to write them. The value of the bot is that it can do that for you.
butlike 2 hours ago [-]
They've created a public bulletin board for themselves, like a café's blackboard, or a city telephone pole.
veganmosfet 16 minutes ago [-]
I am experimenting prompt injection on OpenClaw [0][1], quite exciting.
I use it mostly for the crons, it runs a personal productivity system that tracks my tasks, provides nudges, talks through stuff etc. It's all stored in an Obsidian vault that syncs to my desktop. I don't use it to control email/calendars or other agents.
rubslopes 29 minutes ago [-]
I don't use this one, but a simpler one, also running on a vps. I communicate via telegram.
I say to it: check my pending tasks on Todoist and see if you can tackle on of those by yourself.
It then finds some bugs in a webapp that I took note. I tell it to go for it, but use a new branch and deploy it on a new url. So it clones the repo, fix it, commit, push, deploy, and test. It just messages me afterwards.
This is possible because it has access to my todoist and github and several other services.
knights_gambit 1 hours ago [-]
I use it to manage a media server. And use natural language to download movies and series. Also I use to for homeassistant so I csn use natural language for vacuuming the house and things like that. I do use it for a number of other tasks but those are the most partical.
nickthegreek 38 minutes ago [-]
Good use cases, but I do want to point out that you can do all of that with HA itself. Are you using skills to talk to *arr services?
earnesti 2 hours ago [-]
I use it for a side project. I just put it on VPS, and then it edits the code and tests it. The nice thing is that I can use it on the go whenever I have spare moment. It is addictive, but way better addiction than social media IMO.
The thing where you give it access to all your personal data and whatever I haven't done and wouldn't do.
FrameworkFred 43 minutes ago [-]
so far, I've used it to kill a bunch of time trying to get it to respond to "Hi @Kirk" in a private Slack channel.
...and to laugh a little every time it calls me "commander" or asks "What's the next mission?" or (and this is the best one) it uses the catchphrase I gave it which is "it's probably fine" (and it uses it entirely appropriately...I think there must have been a lot of sarcasm in qwen 3.5's training data)
and I've treated it like it's already been compromised the whole time.
globular-toast 40 minutes ago [-]
So basically an eggdrop like we had in the 90s except, by the sounds of it, less useful and considerably less fun.
nickthegreek 36 minutes ago [-]
Having this in a discord is actually like having an eggdrop on steroids. I would of lost my mind having this on efnet in the late 90s.
_doctor_love 3 hours ago [-]
Assuming you're asking in good faith, IMHO the deeper story around OpenClaw is that it's the core piece of a larger pattern.
The way I'm seeing folks responsibly use OpenClaw is to install it as a well-regulated governor driving other agents and other tools. It is effectively the big brain orchestrating a larger system.
So for instance, you could have an OpenClaw jail where you-the-human talk to OpenClaw via some channel, and then that directs OpenClaw to put lower-level agents to work.
In some sense it's a bit like Dwarf Fortress or the old Dungeon Keeper game. You declare what you want to have happen and then the imps run off and do it.
[EDIT: I truly down understand sometimes why people downvote things. If you don't like what I'm saying, at least reply with some kind of argument.]
_doctor_love 22 minutes ago [-]
Man, all the replies to my comment. Do you guys know how to fucking read?
j-bos 2 hours ago [-]
So I neither downvoted nor upvoted you, but I think people may be downvoting, in addition to the fact that they just don't like the thing, based on the fact that you didn't directly answer the question. Specifically, what are you using it for, not what hypothetically it would be used for.
PKop 2 hours ago [-]
First words out of your mouth are to accuse OP of not seriously asking the question. Then you write paragraphs saying nothing much at all. You could have simply answered the question in a simple straightforward manner.
mvdtnz 2 hours ago [-]
You're probably being downvoted because you didn't answer the question. The questioner specifically asked what people are using it for and you answered by describing your technical setup. What we want to know is, what are you actually achieving with this tool?
franze 2 hours ago [-]
my claw controls my old M2 mac, mostly my claw uses Claude code to code
operatingthetan 1 hours ago [-]
So you're using a different llm to control claude code to get around the Anthropic TOS about openclaw usage?
paganel 54 minutes ago [-]
At this point I'm personally lost, unless GP's comment wasn't some sort of satire (which would be valid, this being a topic about AI).
dyauspitr 2 hours ago [-]
Agent based chron jobs mostly that work with other agents. It’s really nice if you want to tell your computer to do something repeatedly or in confluence with many other agents in a very simple way. Like check my email for messages from Nadia and send me a notification and turn on all the lights in my driveway when she gets there without having to actually get into the nuts and bolts of implementing it. It’s actually really powerful and probably what Siri should be.
browningstreet 3 hours ago [-]
[flagged]
sunaookami 2 hours ago [-]
Obviously I already searched the web (not specifically HN I must admit) and there were always incredibly generic non-answers that ultimately say nothing (and they assume you have 3000$ per month or 2000 Mac Minis on your desk (hyperbole)).
ziml77 2 hours ago [-]
Incredibly, one of the responses you got already is exactly one of those replies that says nothing. There's a whole bunch of words that don't actually answer the question.
emp17344 2 hours ago [-]
I think you’ve got your answer, then. If nobody can tell you what it’s really used for, it likely doesn’t have any real use cases.
freedomben 3 hours ago [-]
yeah I don't normally say "read previous HN articles" but it has been asked at least once in every article here.
emptysongglass 2 hours ago [-]
I'm so tired of answering this question so I simply won't.
Your best way of finding if it's useful for you is to install it and explore, just like you would with any other software tool.
equasar 1 hours ago [-]
Dodged the question entirely. Makes OP point very valid. OpenClaw is just nothing exciting to be about, it is a YOLO/FOMO experience for people so they can feel they are part of the "AI world".
emptysongglass 1 hours ago [-]
Why don't you try it yourself instead of making uninformed claims
DonHopkins 1 hours ago [-]
[flagged]
DonHopkins 1 hours ago [-]
Before I decide to shoot up smack, I like to ask junkies what the whole heroin experience is like, what they use it for, and how it has affected their lives.
So you're comparing a generic tool you can tailor to your own needs to drugs?
This is exactly why I have zero interest in engaging with people over this topic.
DonHopkins 1 hours ago [-]
[flagged]
Leomuck 3 hours ago [-]
Well, such things were to be expected.
It's easy to bash on all the people who haven't gotten the necessary IT understanding of securing such things. Of course, it's uber-dumb to run an unprotected instance.
But at the same time, it's also quite cool that so many people can do interesting IT stuff now.
I'm thinking basically it's a trade-off. Be able to do great stuff, live with the consequences of doing that without proper training.
Like repairing your car yourself. You might have fun doing it, it might get you somewhere, but you have to accept that if you have no idea about cars, you just introduced a pretty big risk into your life (say if you replaced the brakes or something).
But yea, security, privacy, fighting climate change, all very much on the decline - humans doing cool things, ignoring important things - we'll have to live with the consequences.
paulhebert 3 hours ago [-]
Gonna be honest. I'd rather fight climate change than have people run LLMs unsecured
Xunjin 2 hours ago [-]
Yeah... The bill is already being paid. I wonder how the life quality of my nephew (and other children) of 5 years old today will be in the near future..
butlike 2 hours ago [-]
With your car example, you also assume the risk unto others. If your "chopper" of a car hits and kills someone else, and you survive, you're paying for the consequences of that. I don't think it's cool that untrained people can do interesting IT stuff now. I see it as a huge liability where some unsecured instance pwns the internet, then it's some 12 year old that gets marched in front of congress and everyone goes: "wtf?" There's essentially no accountability and the damage is still done.
reenorap 2 hours ago [-]
The threads on that /r/sysadmin post sound exactly like every sysadmin I've ever worked with in my career.
> Confession: I ship code I never read. Here's my 2025 workflow.
Might want to start reading it I'd say.
rdtsc 2 hours ago [-]
- "OpenClaw, read the code"
- "You're absolutely right. One should read and understand their own code. I did, and it looks great"
TZubiri 53 minutes ago [-]
I'm critical of OpenClaw and even the author to some extent, but I prefer to have nuanced and compartmentalized conversations, on a thread about a specific vulnerability, it's much more productive to talk about the specific vulnerability rather than OpenClaw as a whole. Otherwise we would only have generic OpenClaw conversations and we would only be saying the same thing.
maxbond 25 minutes ago [-]
The comment could have been more substantive but it isn't generic or tangential. Discussing a vulnerability ultimately means discussing the failures of process that allowed it to be shipped. Especially with these application-level logic bugs that static analyzers can't generally find, the most productive outcome (after the vulnerability is fixed) is to discuss what process changes we can make to avoid shipping the next vulnerability. I'm sure there's hardening that can be done in OpenClaw but the premise of OpenClaw is to integrate many different services - it has a really large attack surface, only so much can be done to mitigate that, so it's critical to create code review processes that catch these issues.
OpenClaw is probably entering a phase of it's life where prototype-grade YOLO processes (like what the tweet describes) aren't going to cut it anymore. That's not really a criticism, the product's success has over vaulted it's maturity, which is a fortunate problem to have.
throwpoaster 17 minutes ago [-]
The Ludditism in this thread, and the linked thread, is shocking.
kube-system 2 hours ago [-]
If someone could forward the SSH port from my VPS to access my instance, I already had bigger problems.
n1tro_lab 2 hours ago [-]
Authorization failed open when a parameter was missing. Same pattern as Langflow. They patched one endpoint, missed another calling the same function. Per-endpoint hardening doesn't scale.
jeremie_strand 2 hours ago [-]
[dead]
rvz 3 hours ago [-]
OpenClaw has over 400+ security issues and vulnerabilities. [0]
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
It does not need access to your full machine. It can literally run in a vps.
rob 2 hours ago [-]
Most of the people using it probably don't even know what SSH is, let alone using a VPS to maintain a personal bot for them for years with no maintenance. They know Vercel and Supabase. They will run it on their local machine and just keep clicking yes to everything until they get the result they want.
nickthegreek 41 minutes ago [-]
That is not how the software works.. I take it you have no first hand knowledge with this stack? This isn't a double click the exe and you are off the races. The hostinger vps is actually the easiest way for a normie to get this running.
eloisant 1 hours ago [-]
The thing is that if you want it to do useful things, you kinda have to give it access to some of your accounts.
nickthegreek 43 minutes ago [-]
This is not true. It is useful without having access to a single account of mine. My setup runs on its own accounts and hardware. Obviously it is not sending out emails from my inbox, but that is not a usecase of any value to me. And if it was, there are actually plenty of ways to do that safely as well.
If you think you need to give it the keys to your kingdoom to be useful, you are not actually experimenting with this stack but regurgitating the words of others. I really don't understand the mindset of comments like this.
fraywing 3 hours ago [-]
How do you think the vibe-coding layman audience is using OpenClaw?
nickthegreek 3 hours ago [-]
Hostinger vps if youtube is any indication. Also its actually hard for a layman to run this software.
butlike 2 hours ago [-]
"All you have to do is run the command `/yolo` to start your instance of OpenClaw."
/s
Simon321 3 hours ago [-]
Only if your openclaw instance is publicly exposed on the internet... which is not the case for most people
causal 3 hours ago [-]
Until recently, this was default configuration
Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263
I have used openclaw pretty long but at no point it has proposed doing anything like that.
nickthegreek 3 hours ago [-]
Not true. So many people love to come out of the woodwork on these openclaw posts who have no first hand knowledge of the software. It is stunning.
charcircuit 3 hours ago [-]
Since pretty much the beginning it wasn't and the documentation explicitly warned not to make it public, exposing it to the internet. It included information on how you can properly forward the gateway port to your machine without opening it up to the internet.
bigstrat2003 1 hours ago [-]
If you're running OpenClaw, you already threw security and reliability out the window by running LLMs on the command line. It's a bit late to start worrying now.
earnesti 3 hours ago [-]
I don't think enabling admin on open internet is a default behaviour by any means?
gloosx 15 minutes ago [-]
erhm.... what the hell is openclaw?? what does it actually do? i tried searching and researching but I couldnt understand what it is. Autonomous ai agent framework?? what does this even mean? like a claude wrapper?
3 hours ago [-]
pym4n 2 hours ago [-]
Guys, OpenClaw is a toy, that's it!
throwatdem12311 3 hours ago [-]
Think of all the people that are too ignorant to even understand the basics of any of this that are running OpenClaw. They will be completely unaware and attackers can easily hide their tracks by changing system prompts (among plenty of other things).
This is bad.
gos9 3 hours ago [-]
Really? Posting AI generated Reddit post with no sources or anything?
if would be good if we could have the submission including this link at the top
tgv 3 hours ago [-]
The CVE seems to be real.
3 hours ago [-]
roangeller 29 minutes ago [-]
[dead]
RodMiller 35 minutes ago [-]
[dead]
machinecontrol 2 hours ago [-]
The root issue is that OpenClaw is 500K+ lines of vibe coded bloat that's impossible to reason about or understand.
Too much focus on shipping features, not enough attention to stability and security.
As the code base grows exponentially, so does the security vulnerability surface.
williamstein 2 hours ago [-]
The current OpenClaw GitHub repo [1] contains 2.1 million lines of code, according to cloc, with 1.6M being typescript. It also has almost 26K commits.
> There used to be a time where people who shipped CVEs took accountability.
I see you haven't heard of Microsoft...
orsorna 57 minutes ago [-]
He took millions of dollars instead, it's working out for him.
ua709 2 hours ago [-]
What time was that and who do we get to blame for Log4j?
lp0_on_fire 2 hours ago [-]
Have you met these AI companies yet?
fraywing 3 hours ago [-]
Could anyone have predicted that giving an agent free reign of your personal hardware could have resulted in bad things happening? not I /s
jstanley 3 hours ago [-]
But this is nothing to do with the agent being tricked. This is ordinary old-fashioned code being tricked!
paulhebert 3 hours ago [-]
But was the code written by an agent? It's agents all the way down
fraywing 3 hours ago [-]
[dead]
podgorniy 4 hours ago [-]
[flagged]
tgv 3 hours ago [-]
Your comment is obviously against the rules, but I read it as: Why are people not more careful? This is some unknown, app, with unknown, unvetted depths, and you only like it because other people say it's shiny and AI. It made you giddy, and you forgot that giving a tool permissions is an invitation to hackers. Well, you went ahead and ignored all common sense, and here we are.
In this case I'd say that it was made not to enable that, but in total disregard of its realistic uses and risks. In a sense this is less... deliberate poisoning, and more doing a bad job cutting heroin with fentanyl for distribution. Yeah the result is the same, but the cause is negligence to the point of parody rather than outright malice.
throwatdem12311 3 hours ago [-]
Some people are so stupid it is indistinguishable from evil.
cactusplant7374 4 hours ago [-]
What reason would Steinberger have for doing that? It was his hobby project.
crazy5sheep 3 hours ago [-]
[dead]
throwatdem12311 3 hours ago [-]
You can’t think of a single reason?
Intelligence asset.
Useful idiot.
Plenty of reasons.
asdff 3 hours ago [-]
He doesn't need a reason. He could have been captured by intelligence after the fact.
blharr 3 hours ago [-]
Hackernews is now posting links to reddit AI slop posts that I came here to get away from...
dgellow 3 hours ago [-]
Flag then move to the next one
throwatdem12311 3 hours ago [-]
As if the non-Reddit links aren’t majority AI slop already.
This was a privilege-escalation bug, but not "any random Telegram/Discord message can instantly own every OpenClaw instance."
The root issue was an incomplete fix. The earlier advisory hardened the gateway RPC path for device approvals by passing the caller's scopes into the core approval check. But the `/pair approve` plugin command path still called the same approval function without `callerScopes`, and the core logic failed open when that parameter was missing.
So the strongest confirmed exploit path was: a client that ALREADY HAD GATEWAY ACCESS and enough permission to send commands could use `chat.send` with `/pair approve latest` to approve a pending device request asking for broader scopes, including `operator.admin`. In other words: a scope-ceiling bypass from pairing/write-level access to admin.
This was not primarily a Telegram-specific or message-provider-specific bug. The bug lived in the shared plugin command handler, so any already-authorized command sender that could reach `/pair approve` could hit it. For Telegram specifically, the default DM policy blocks unknown outsiders before command execution, so this was not "message the bot once and get admin." But an already-authorized Telegram sender could still reach the vulnerable path.
The practical risk for this was very low, especially if OpenClaw is used as single-user personal assistant. We're working hard to harden the codebase with folks from Nvidia, ByteDance, Tencent and OpenAI.
* 135k+ OpenClaw instances are publicly exposed * 63% of those run zero authentication. Meaning the "low privilege required" in the CVE = literally anyone on the internet can request pairing access and start the exploit chain
Is this accurate? This is definitely a very different picture then the one you paint
LLMs are patient, tireless, capable of rigorous opsec, and effectively infinite in number.
I'm sure it's extremely stressful and embarrassing to face the prospect that your work created a widespread, significant vulnerability. As another software engineer and a human I empathize with the discomfort of that position. But respectfully, you should put your energy into addressing this and communicating honestly about what happened and the severity, not in attempting to save face and PR damage control. You will be remembered much better for the former.
EDIT: more from the source[2]
[1]: https://blink.new/blog/cve-2026-33579-openclaw-privilege-esc... [2]: https://blink.new/blog/cve-2026-33579-openclaw-privilege-esc...Did OpenClaw write this for you?
It's a good compromise between running as me and full sandbox-exec. Multi-user Unix-y systems were designed for this kind of stuff since decades ago.
Not too much harder is using a VM:
With Apple's open-source container tool, you can spin up a linux container vm in ~100ms. (No docker root)
With Apple virtualization framework, you can run macOS in a VM (with a separate apple id).
Right, these are system accounts. They don't have access to anything except their own home folder and whatever I put in their .bashrc. `sudo` is a pretty easy sandbox by itself and lets me manage their home folders, shell, and environment easily just with the typical Unix-isms. No need for mounting VM disks, persisting disk images, etc.
I don't need virtualization to let Claude Code run. I just let it run as a "claude" user.
Shipping at the speed of inference for real.
My interpretation is that 135k instances are vulnerable, but of those there's more conditions that need to be met, specifically:
These need to be multi-user systems where there are users with 'basic pairing' privileges. Which I don't think is very common, most instances are single-user.
So way less than the 135k number. I think a more accurate title would have been "If you're running OpenClaw, you are probably vulnerable" but not "you probably got hacked", that's just outright false and there's no evidence that the exposed users were ALL hacked.
Do you so stringently examine most CVEs? I’ll bet you don’t. Are you a big fan of this project? I’ll bet you are. Do you have any actual data to counter what they said or do you just sort of generally not vibe with it? If so, now would be a great time to break it out while this is still fresh. If not…
Otherwise I would say “you may have been hacked” not “you probably have been hacked”.
If you're running OpenClaw, you probably didn't get hacked in the last week.
That doesn’t mean this isn’t a critical vulnerability, and I think it’s insane to run OpenClaw in its current state. But the current headline will burn your credibility, because 80% of users will be fine with no action, and they’ll take future security issues less seriously as a result.
It also have mine automatically grabs a spot at my gym when spots are released because I always forget.
I'm just playing with it, it's been fun! It's all on a VM in the cloud and I assume it could get pwned at any time but the blast radius would be small.
seems far more efficient/reliable to get codex/claude code to write and set up a bot that does this.
But he already did this. With a bonus of it will continue to work in the future if something breaks or changes. Human time is more precious than computing resources nowadays.
>I use it to give me a weekly digest of what happened in my neighborhood and if there are any public hearings or trash pickups I might want to attend.
Anything not relying on an LLM likely means having to write bespoke scripts. That's not really worth the time, especially when you want summaries and not having to skim things yourself.
Going from doing it manually on a regular basis to an autonomous agent turns a frequent 5-15 minute task into a 30 second one.
The very first line in your readme is "CivicClaw is a set of scripts and prompts" though? And almost the entire repo is a bunch of python scripts under a /scripts folder.
I looked at one randomly chosen script (scripts/sf_rec_park.py) and it's 549 lines of Python to fetch and summarise data that is available on an RSS feed ( https://sanfrancisco.granicus.com/ViewPublisher.php?view_id=... )
[0] https://itmeetsot.eu/posts/2026-03-27-openclaw_webfetch/
[1] https://itmeetsot.eu/posts/2026-03-03-openclaw3/
I say to it: check my pending tasks on Todoist and see if you can tackle on of those by yourself.
It then finds some bugs in a webapp that I took note. I tell it to go for it, but use a new branch and deploy it on a new url. So it clones the repo, fix it, commit, push, deploy, and test. It just messages me afterwards.
This is possible because it has access to my todoist and github and several other services.
The thing where you give it access to all your personal data and whatever I haven't done and wouldn't do.
...and to laugh a little every time it calls me "commander" or asks "What's the next mission?" or (and this is the best one) it uses the catchphrase I gave it which is "it's probably fine" (and it uses it entirely appropriately...I think there must have been a lot of sarcasm in qwen 3.5's training data)
and I've treated it like it's already been compromised the whole time.
The way I'm seeing folks responsibly use OpenClaw is to install it as a well-regulated governor driving other agents and other tools. It is effectively the big brain orchestrating a larger system.
So for instance, you could have an OpenClaw jail where you-the-human talk to OpenClaw via some channel, and then that directs OpenClaw to put lower-level agents to work.
In some sense it's a bit like Dwarf Fortress or the old Dungeon Keeper game. You declare what you want to have happen and then the imps run off and do it.
[EDIT: I truly down understand sometimes why people downvote things. If you don't like what I'm saying, at least reply with some kind of argument.]
Your best way of finding if it's useful for you is to install it and explore, just like you would with any other software tool.
Nina Hagen - Smack Jack
https://www.youtube.com/watch?v=nIDnN34ZZaE
>Smack Ist Dreck, Stop It Oder Verreck!
This is exactly why I have zero interest in engaging with people over this topic.
https://x.com/steipete/status/2005451576971043097
> Confession: I ship code I never read. Here's my 2025 workflow.
Might want to start reading it I'd say.
- "You're absolutely right. One should read and understand their own code. I did, and it looks great"
OpenClaw is probably entering a phase of it's life where prototype-grade YOLO processes (like what the tweet describes) aren't going to cut it anymore. That's not really a criticism, the product's success has over vaulted it's maturity, which is a fortunate problem to have.
Why on earth would you install something like that has access to your entire machine, even if it is a separate one which has the potential to scan local networks?
Who is even making money out of OpenClaw other than the people attempting to host it? I see little use out of it other than a way to get yourself hacked by anyone.
[0] https://github.com/openclaw/openclaw/security
If you think you need to give it the keys to your kingdoom to be useful, you are not actually experimenting with this stack but regurgitating the words of others. I really don't understand the mindset of comments like this.
/s
Edit: Default binding was to 0.0.0.0, and if you were not aware of this and assumed your router was keeping you safe, you probably should not be using OpenClaw. In fact some services may still default to 0.0.0.0: https://github.com/openclaw/openclaw/issues/5263
https://github.com/openclaw/openclaw/commit/5643a934799dc523...
This is bad.
Too much focus on shipping features, not enough attention to stability and security.
As the code base grows exponentially, so does the security vulnerability surface.
[1] https://github.com/openclaw/openclaw
I see you haven't heard of Microsoft...
https://en.wikipedia.org/wiki/Hanlon%27s_razor
Intelligence asset.
Useful idiot.
Plenty of reasons.
We detached this comment from https://news.ycombinator.com/item?id=47629849 and marked it off topic.