OpenClaw has patched six new vulnerabilities in its popular agentic AI assistant, covering server-side request forgery (SSRF), missing authentication and path traversal bugs, according to Endor Labs.
The vulnerabilities, some of which do not have CVE IDs, range from moderate to high severity, the security vendor said in a blog post published on February 18.
The flaws it found are as follows:
- CVE-2026-26322: A Server-Side Request Forgery (SSRF) bug affecting OpenClaw’s Gateway tool, with a CVSS score of 7.6 (high severity)
- CVE-2026-26319: Missing Telnyx webhook authentication with a CVSS score of 7.5 (high severity)
- CVE-2026-26329: Path traversal in browser upload, high severity but with no CVSS score assigned
- A high severity (CVSS 7.6) SSRF vulnerability impacting OpenClaw’s image tool, with the GitHub Security Advisory code of GHSA-56f2-hvwg-5743
- A moderate severity (CVSS 6.5) SSRF vulnerability in Urbit authentication (GHSA-pg2v-8xwh-qhcc)
- A moderate severity (CVSS 6.5) Twilio webhook authentication bypass vulnerability (GHSA-c37p-4qqg-3p76)
Read more on OpenClaw: Hundreds of Malicious Crypto Trading Add-Ons Found in Moltbot/OpenClaw
Endor Labs argued that its research reveals important lessons for developers of AI agent infrastructure.
“Data flow analysis is essential for modern applications,” it said. “The multi-layer architecture of AI agent frameworks means vulnerabilities often span multiple files and components. Understanding the complete source-to-sink path is critical.”
The security vendor also pointed to the following:
- Trust boundaries extend beyond traditional user input. Configuration values, LLM outputs, and tool parameters are potential attack surfaces that require validation
- Validation must occur at every layer for defense in depth. Several vulnerabilities Endor Labs found existed because validation was missing at all stages
- AI-specific patterns require specialized analysis. Traditional static application security testing (SAST) tools designed for regular web app aren’t able to identify issues in LLM-to-tool flows, conversation state management, and agent-specific trust boundaries
OpenClaw Remains an Open Book
Endor Labs revealed last week that it had discovered seven vulnerabilities in total. It’s unclear whether OpenClaw’s development team is still working on a fix for the final one.
In the meantime, major security concerns persist over its undocumented use in the enterprise.
A week ago, a SecurityScorecard report warned of tens of thousands of misconfigured instances that have been exposed to the public internet. This could enable threat actors to gain full access to potentially sensitive corporate systems the OpenClaw instance is able to interact with.
The security vendor also revealed three high-severity CVEs in OpenClaw with public exploit code available for each.
The risk of indirect prompt injection and the presence of malicious “skills” (plugins) on ClawHub are particularly troubling.
Threat actors are already targeting agents with infostealers, it was revealed this week.
