OpenClaw Hits 138 CVEs in 63 Days — Roughly 2.2 New Vulnerabilities Per Day

Joel Gamblin's public CVE tracker (jgamblin/OpenClawCVEs) logged 137 security advisories between Feb 2 and Apr 4, 2026 — roughly one new advisory every 15 hours. The sheer velocity of disclosures is cited as evidence that OpenClaw's security posture is fundamentally broken for production use.

Product Idea from this Signal

A CLI tool that scans a running OpenClaw instance for known CVEs, exposed endpoints, and misconfigured permissions before it reaches production

2.4k ▲

OpenClaw accumulated 138 CVEs in 63 days during early 2026 and Cisco publicly labeled it a security nightmare. Over 135,000 instances are running exposed on the internet with 63% having no authentication. Despite this, most self-hosters have no automated way to check whether their specific version and configuration is vulnerable. This tool reads the local OpenClaw version, queries the jgamblin/OpenClawCVEs tracker, scans for exposed ports and missing auth, and outputs a pass/fail report with specific remediation steps.

CLIOPEN-SOURCESECURITYDEVTOOL

CompetitiveView Opportunity →