How many CVEs does OpenClaw have?

138+ tracked between February 2 and April 4, 2026 — roughly one every 15 hours.

What is the worst OpenClaw CVE?

CVE-2026-32922 (CVSS 9.9) — single API call gives full admin control with RCE capability.

Should I run OpenClaw?

Microsoft says no on personal or corporate machines. Kaspersky recommends dedicated hardware or VPS only.

Are the CVEs patched?

Most patched in v2026.4.22+, but 41% were High or Critical, indicating systemic architecture issues.

Who tracks OpenClaw vulnerabilities?

Joel Gamblin maintains jgamblin/OpenClawCVEs on GitHub with the full timeline.

← Back to dashboard

clawsmith.com/signal/openclaw-138-cves-63-days-security-timeline-2026

⚠ IssueWide OpenLive

OpenClaw Accumulates 138 CVEs in 63 Days — One Every 15 Hours

Joel Gamblin's jgamblin/OpenClawCVEs tracker logged 137 advisories between Feb 2 and Apr 4, 2026. 41% rated High or Critical. Nine CVEs in four days during March including CVSS 9.9. Key vulns: CVE-2026-22172 (CVSS 9.9), CVE-2026-32922 (privilege escalation, CVSS 9.9), CVE-2026-25253 (one-click RCE). Microsoft advised not running on personal or corporate machines.

Product Idea from this Signal

A CLI tool that generates a go/no-go security report for OpenClaw deployment decisions by scoring CVE exposure, skill supply chain risk, and trust indicators

1.3k ▲

OpenClaw accumulated 138 CVEs in 63 days (41% High/Critical), 1,400+ malicious skills infiltrated ClawHub, Forrester and Palo Alto Networks publicly called it dead, and Meta banned it internally after an agent mass-deleted 200+ emails. Engineering teams now face a binary question: can we deploy this, or should we migrate? This CLI tool scans your specific OpenClaw instance, scores it against the full CVE timeline and ClawHavoc indicators, and outputs a single go/no-go recommendation with the evidence trail an engineering manager can hand to their VP.

CLIOPEN-SOURCESECURITYCOMPLIANCEDEVTOOL

CompetitiveView Opportunity →