CVE-2025-59466 & CVE-2026-21636: What OpenClaw Users Need to Know

Two significant CVEs have been disclosed affecting OpenClaw (formerly Moltbot) deployments. This guide explains the vulnerabilities, who’s affected, and how to remediate.

NOTE

These vulnerabilities were discovered in the Moltbot era but apply to OpenClaw as well. If you’ve upgraded to the latest OpenClaw release, you’re already patched.

Quick Summary

CVE	Severity	Affected Versions	Patched In
CVE-2025-59466	High	< 1.2.3	1.2.3+
CVE-2026-21636	Medium	< 1.3.0	1.3.0+

If you’re running an affected version, update immediately.

# Update to latest OpenClaw
npm install -g openclaw@latest

CVE-2025-59466: Gateway Authentication Bypass

Overview

A vulnerability in the gateway authentication mechanism allowed attackers to bypass token validation under specific conditions.

Technical Details

Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
CVSS Score: 8.6 (High)

How It Works

The vulnerability exploited a race condition in token validation:

1. Attacker sends request with malformed token
2. Validation thread begins checking token
3. Second request arrives before validation completes
4. Race condition allows second request to bypass auth

Who’s Affected

Deployments running gateway < 1.2.3
Gateways exposed to untrusted networks
Configurations without rate limiting

Am I Vulnerable?

Check your version:

openclaw --version

If the output shows a version less than 1.2.3, you’re affected.

Remediation

Option 1: Update (Recommended)

npm install -g openclaw@latest

Option 2: Mitigations (if update not immediately possible)

Restrict gateway to localhost only:
```
{ "gateway": { "bind": "127.0.0.1" } }
```

Enable aggressive rate limiting:

{ "rateLimiting": { "requestsPerMinute": 10 } }

Use a reverse proxy with additional auth

CVE-2026-21636: Tool Permission Escalation

Overview

A flaw in the tool permission system allowed agents to escalate privileges beyond configured restrictions.

Technical Details

Attack Vector: Local
Attack Complexity: High
Privileges Required: Low
User Interaction: Required
CVSS Score: 5.3 (Medium)

How It Works

The vulnerability chain:

1. Attacker crafts prompt that appears benign
2. Prompt triggers tool A (which is allowed)
3. Tool A's output contains instruction to invoke Tool B
4. Permission check fails to catch the indirect invocation
5. Tool B executes with elevated permissions

Who’s Affected

Deployments with mixed tool permission levels
Agents processing untrusted content
Configurations without output validation

Am I Vulnerable?

You’re at risk if:

Running version < 1.3.0
Have both restricted and unrestricted tools enabled
Process external content (PRs, issues, etc.)

Remediation

Option 1: Update (Recommended)

npm install -g openclaw@latest

Option 2: Mitigations

Disable elevated tools when processing untrusted content

Use separate agent profiles for different trust levels:

{
  "profiles": {
    "trusted": { "tools": ["all"] },
    "untrusted": { "tools": ["read-only"] }
  }
}

Implement output validation

Verification Steps

After patching, verify your deployment:

1. Confirm Version

openclaw --version
# Should show >= 1.3.0 or latest OpenClaw version

2. Run Security Audit

openclaw security audit --include-cve-checks

3. Check Configuration

# Verify auth is enabled
openclaw config show --section=auth

# Verify tool restrictions
openclaw tools list --show-permissions

4. Review Logs

Check for any suspicious activity during the vulnerable period:

openclaw logs --since "2025-12-01" --filter "auth_failure|permission_escalation"

Timeline

Date	Event
2025-11-15	CVE-2025-59466 discovered by security researcher
2025-11-20	Reported to security team
2025-12-01	Patch developed and tested
2025-12-15	Version 1.2.3 released with fix
2026-01-05	CVE-2026-21636 discovered internally
2026-01-15	Version 1.3.0 released with fix
2026-01-20	Public disclosure
2026-01-29	OpenClaw rebrand with all patches included

Lessons Learned

These CVEs highlight important security principles for AI agents:

1. Defense in Depth

Don’t rely on a single security control. Layer your defenses:

Authentication + Authorization + Network restrictions + Monitoring

2. Least Privilege

Limit tool access to what’s actually needed. The escalation vulnerability was worse for deployments with broad permissions.

3. Update Promptly

Both vulnerabilities were patched before public disclosure. Organizations with good update practices were protected.

4. Trust No Input

Assume all input—including content the agent reads—could be malicious.

Need Help?

OpenClaw Migration Guide - Upgrade from Moltbot/Clawdbot
Security Audit Checklist - Comprehensive audit guide
Gateway Hardening - Secure your configuration
OpenClaw Security: See openclaw.ai for security contact

Stay updated on security vulnerabilities by bookmarking SecureMolt.com. We’ll publish guidance for future disclosures.