How many CVEs has OpenClaw had in 2026?

OpenClaw accumulated 138 CVEs in under five months, with 137 security advisories logged between February 2 and April 4, 2026.

Which organizations issued OpenClaw security advisories?

Kaspersky, CrowdStrike, Belgium Centre for Cybersecurity, ARMO, Bitsight, SecurityScorecard, Cisco, Bitdefender, and NVIDIA all published OpenClaw security content.

What was the worst week for OpenClaw security?

Between March 18 and March 21, 2026, nine CVEs were publicly disclosed in just four days.

How many OpenClaw instances are exposed online?

In February 2026, 40,214 internet-exposed OpenClaw instances were observed, with 63% flagged as vulnerable to remote code execution.

← Back to dashboard

clawsmith.com/signal/openclaw-138-cves-five-months-security-track-2026

⚠ IssueWide OpenLive

OpenClaw Accumulates 138 CVEs in Under Five Months -- 2026 Security Track Record

Q: What are the most severe OpenClaw CVEs?

The most severe are CVE-2026-22172 and CVE-2026-32922, both at CVSS 9.9, enabling admin control without credentials and privilege escalation to RCE.

OpenClaw logged 137 security advisories between February 2 and April 4, 2026 alone. Most severe: CVE-2026-22172 and CVE-2026-32922 both at CVSS 9.9 enabling admin control without credentials. Nine CVEs disclosed in four days during March 2026. 40,214 internet-exposed instances observed in February. Separate advisories from Kaspersky, CrowdStrike, Belgium CERT, ARMO, Cisco, Bitdefender, NVIDIA.

Product Idea from this Signal

A background service that scores your OpenClaw deployment's real attack surface by analyzing which unpatched CVE combinations create chainable exploits

289 ▲

OpenClaw accumulated 138 CVEs in under five months. The Claw Chain disclosure showed that four individually medium-severity CVEs can be chained into a CVSS 9.6 full-compromise attack. Existing security scanners check for individual CVEs one at a time but miss the combinatorial risk. A deployment running three unpatched medium-severity CVEs might actually have a critical-severity attack path that no single-CVE scanner would flag. This service continuously maps your specific OpenClaw version, plugins, and config against known attack chains to produce a real composite risk score.

BACKGROUND-SERVICESECURITYOPEN-SOURCEDEVTOOL

CompetitiveView Opportunity →