Tom Hundley
🤖 Ghostwritten by Claude Opus 4.8 · Fact-checked & edited by GPT 5.5
If OpenClaw is running on default-style credential storage, sensitive credentials may already be sitting in plaintext on disk. OAuth credentials are stored in unencrypted JSON. Until the v2026.2.25 patch, the Nostr privateKey was stored unredacted and retrievable through a plain config.get call — the flaw tracked as CVE-2026-32025, nicknamed ClawJacked. And if a gateway is reachable from anything other than localhost, related 2026 flaws in WebSocket handling and bootstrap-token replay create a realistic path to agent takeover.
The hardening sequence is straightforward: upgrade to at least v2026.5.12, keep live secrets out of committed config, bind the gateway to loopback, restrict credential access, rotate exposed tokens, and run a redacting backup job so config history never preserves a live credential. No new OpenClaw advisories have landed in the past 48 hours; the CVEs here date from January through May 2026. The exposure remains urgent because many installations were deployed before those fixes and were never reconfigured.
TL;DR: OpenClaw stores OAuth credentials, and previously stored Nostr private keys, in readable config data; any process or exploit path that can read that data can reach the secrets.
The convenience of a personal AI agent is that it can act across connected services. That convenience is also the risk. When credentials live in plaintext, the security of every connected account collapses to the security of one config directory and the interfaces that can read it.
Three confirmed issues define the OpenClaw plaintext secrets problem:
privateKey was stored unredacted and retrievable via config.get. Any code path able to retrieve that config value could expose the identity key. The issue was patched in v2026.2.25.config.get exposure pattern: The deeper lesson of the OpenClaw config.get vulnerability is that a secret reachable through a broad config surface is reachable through whatever can invoke that surface.Research has documented between 40,000 and 135,000 publicly exposed OpenClaw instances, with roughly 12,800 directly exploitable. That is not a theoretical attack surface; it is a live one.
TL;DR: Three 2026 vulnerabilities combine into a realistic takeover path, and the minimum safe version is v2026.5.12.
| CVE | What it does | Severity | Fix status |
|---|---|---|---|
| CVE-2026-32025 (ClawJacked) | Nostr private key readable via config.get |
High | Patched in v2026.2.25 |
| CVE-2026-25253 | Cross-site WebSocket hijacking enabling agent takeover | CVSS 8.8 | Covered by upgrading to a safe current build |
| CVE-2026-33579 | Bootstrap token replay | Critical | Patched in v2026.5.12 |
The danger is the combination. CVE-2026-25253 covers cross-site WebSocket hijacking that can enable agent takeover. CVE-2026-33579 covers bootstrap token replay. Chain those with plaintext credential storage, and the attacker’s goal becomes simple: gain control of the agent interface, then use that access to reach credential-bearing config data.
This is why OpenClaw security hardening in 2026 starts with the version number. Running anything below v2026.5.12 leaves the minimum safe baseline. The latest stable release is v2026.6.8; v2026.6.9-beta.1 is available for beta users. For production-style personal use, stay on stable and at or above v2026.5.12.
TL;DR: Upgrade, reduce plaintext exposure, bind to loopback, rotate exposed credentials, and back up only after redaction.
Do this first. It establishes the minimum safe baseline and closes the critical bootstrap token replay issue along with earlier fixes such as ClawJacked. Verify the running version explicitly; do not assume an auto-updater handled it.
Where a deployment can reference secrets from environment variables or an external secret source rather than inline values, use that pattern. The principle is simple: config files should describe where a secret lives, not contain the secret itself. A secrets manager, password-manager CLI, or runtime environment reference can keep live credentials out of files that get backed up, synced, or shared.
OpenClaw loopback binding is the highest-leverage network change. Bind the gateway to 127.0.0.1 instead of 0.0.0.0 so it only accepts connections from the local machine. If remote access is necessary, place access behind a properly authenticated reverse proxy or VPN rather than exposing the raw gateway.
Any OAuth credential, bootstrap token, or connected-service credential that lived in plaintext should be treated as exposed if the instance was publicly reachable or backed up without redaction. Rotate those credentials after upgrading and tightening access. Rotation matters because patching the software does not invalidate secrets that may already have been copied.
A real workflow pattern surfaced in the OpenClaw community: a daily 4:30am backup job that scans config and workspace files, redacts anything matching credential patterns, and only then commits the sanitized files to a private repo. That gives operators versioned recovery without writing live secrets into git history.
Stay Safe
Treat the OpenClaw config directory as if it were a wallet. Upgrade to at least v2026.5.12, bind to loopback, rotate credentials that lived in plaintext, and never commit unredacted config to any repo — public or private. If an instance has been internet-exposed, assume connected-account credentials may be compromised and rotate them.
TL;DR: OpenClaw can be run more safely in 2026, but only after upgrading, restricting network access, and treating plaintext credentials as compromised until rotated.
It can be, but not on insecure defaults. Upgrade to at least v2026.5.12 — the latest stable release is v2026.6.8 — bind the gateway to loopback, keep live secrets out of committed config, and rotate credentials that were stored in plaintext. An unconfigured, internet-exposed instance remains risky given the documented exploit chain.
ClawJacked is the vulnerability where OpenClaw stored the Nostr privateKey unredacted in config and made it retrievable through config.get. That exposed an identity key through any path able to read the relevant config value. It was patched in v2026.2.25, but upgrading further is necessary to reach the current minimum safe baseline.
No. The 2026 patches address specific vulnerabilities; they do not retroactively encrypt OAuth credentials already written to plaintext JSON. Operators still need to move secrets out of committed files where possible, restrict file access, redact backups, and rotate credentials that may have been exposed.
Research documented 40,000–135,000 publicly exposed OpenClaw instances, including about 12,800 directly exploitable instances. Binding the gateway to 127.0.0.1 removes the raw gateway from the public internet and limits access to the local machine, reducing the opportunity for remote WebSocket-based abuse.
Run a scheduled job that scans config and workspace files for credential patterns, redacts the matched values, and commits only sanitized files to a private repo. The community 4:30am backup pattern follows that model: versioned recovery without live secrets in git history.
TL;DR: The safest OpenClaw posture is current software, local-only gateway access, credential rotation, and redacted backups.
privateKey exposure.TL;DR: OpenClaw’s 2026 security story is not just about patching CVEs; it is about treating agent config as a high-value secrets store.
The uncomfortable truth about personal AI agents is that they concentrate risk: one config directory can hold the keys to multiple connected services. OpenClaw’s plaintext defaults made that concentration dangerous, and the 2026 CVE record shows how agent control, token replay, and config access can reinforce one another.
The practical playbook is short and within an operator’s control: upgrade to a safe version, bind the gateway locally, reduce plaintext credential exposure, rotate anything that may have leaked, and make redaction part of every backup workflow. As personal agents accumulate more connected-account access, the teams and individuals who treat agent credential stores like production secrets vaults will be the ones least likely to become the next ClawJacked case study.
Discover more content: