How many CVEs has OpenClaw had in 2026?

139 security advisories tracked between February and April 2026, averaging 2.2 new vulnerabilities per day across a 63-day window.

How severe are OpenClaw CVEs?

7 rated Critical (CVSS 9.0+) and 49 rated High (CVSS 7.0-8.9), meaning 41% of all tracked vulnerabilities are high-impact.

Where can I track OpenClaw CVEs?

The jgamblin/OpenClawCVEs GitHub repository (137 stars) automatically monitors the GitHub Advisory Database, repo-level security advisories, and the CVE V5 registry.

What is the most critical OpenClaw CVE?

CVE-2026-25253 (CVSS 8.8), a zero-click WebSocket hijacking vulnerability that was patched in v2026.1.29. Over 42,000 instances were found exposed.

Are OpenClaw CVEs being patched quickly?

Most critical CVEs are patched within days of disclosure. However, the sheer volume (2.2/day) means users must update frequently to stay protected.

← Back to dashboard

clawsmith.com/signal/openclaw-cve-velocity-139-advisories-63-days

⚠ IssueUnknownsecurityLive

OpenClaw CVE Velocity: 139 Security Advisories in 63 Days Averaging 2.2 Per Day

Between February and April 2026, 139 security advisories were tracked across OpenClaw and its predecessors. 7 rated Critical (CVSS 9.0+), 49 rated High (CVSS 7.0-8.9), meaning 41% are high-impact. The jgamblin/OpenClawCVEs GitHub tracker has become one of the most-watched AI agent security resources.

Product Idea from this Signal

A background service that maps your OpenClaw version, enabled plugins, and network exposure against the CVE feed and outputs a real-time security posture score with a ranked remediation queue

142 ▲

139 security advisories in 63 days means OpenClaw operators face 2.2 new CVEs daily. 41% are rated High or Critical. ClawSec (894 stars) monitors for known threats and polls NVD, but every advisory is presented equally regardless of whether it applies to your setup. Operators running Telegram-only agents waste time triaging Slack channel CVEs that cannot affect them. This service fingerprints your exact deployment (version, channels, skills, network bindings) and scores each incoming CVE on actual exploitability in your environment, so your remediation queue contains only what matters.

BACKGROUND-SERVICESECURITYSAASDEVTOOL

CompetitiveView Opportunity →