OpenClaw's First CVE Flood: Nine Disclosures in Four Days

If you maintain an OpenClaw deployment, the past 36 hours have probably looked like a Slack thread that won't stop scrolling. As of today, March 19, the project is on day two of a coordinated disclosure window that will publish nine CVEs over four days — the largest single batch of vulnerabilities since OpenClaw's first public release. By Saturday's close, the advisory feed will catch up; today, it's still mid-flood.

This is the moment a young open-source project starts to feel like infrastructure. Big enough to attract real researchers. Big enough that "it's just a side project" stops being a defense.

What's been disclosed so far

The disclosures span the full agent surface area: the runtime, the plugin sandbox, the auth layer, and the multi-operator approval flow. The severity distribution lands as one critical, six high, two medium — by CVSS, a textbook "fix this week" batch.

Severity	Count	Notes
Critical (CVSS 9.0+)	1	Affects core runtime memory boundaries
High (7.0–8.9)	6	Auth, sandbox, and plugin-execution surface
Medium (4.0–6.9)	2	Lower-impact configuration and logging issues

The headline entry is CVE-2026-25253 — "ClawBleed" — a memory-disclosure flaw in the agent runtime that, under specific tool-call patterns, can leak fragments of one session's context into another. It's the only 9.x in the set, and it's the one likeliest to make it into a Hacker News title by tonight.

Two more deserve specific attention because they touch how operators actually run OpenClaw in production:

• CVE-2026-32922 is a token-rotation flaw in the auth subsystem. Under certain refresh-race conditions, a previously rotated token could remain valid past its intended expiration window. If you're running OpenClaw with short-lived credentials specifically to limit blast radius, this vulnerability is the one that quietly defeated that strategy.
• CVE-2026-33579 affects the pair-approve workflow — the multi-operator confirmation step that gates high-impact agent actions. Under a crafted sequence, a single approver could effectively self-pair. For deployments using pair-approve as the human-in-the-loop control plane, this is the one to read carefully.

The remaining six aren't being individually identified in this post — the full advisory pages will be the source of truth as they publish.

The part that makes this a good day

Here's the wrinkle that changes the story: five of the nine were already patched before any of this hit the advisory feed. Version 2026.2.22, which shipped quietly back on February 22, included fixes for the majority of today's flood. If you're on a current release line, you've been protected for nearly a month and didn't know why.

That's the textbook outcome of responsible disclosure done well. The CVE numbers and the patches are decoupled in time on purpose. Researchers report; maintainers fix; the patch ships in a routine release; the advisory drops only after enough deployments have rolled forward to make exploitation costlier than disclosure. The four-day publication window we're in the middle of right now is the back half of a process that started weeks ago.

The downside: anyone still pinned to a version older than 2026.2.22 just got handed a roadmap. That's the unavoidable shape of disclosure economics. There is no way to publish a fix without also publishing the fact that there was something to fix.

What to do today if you operate OpenClaw

This is a release-notes day, so let's keep this concrete.

1. Confirm your deployed version. If you're on 2026.2.22 or later, you already have patches for five of the nine — including, per the advisory pages, the critical entry. If you're on anything earlier, treat upgrading as the day's top priority.
2. Read the advisories as they land. Two have published as of this writing; the rest will roll out across March 20–21. Each individual advisory will identify the affected components, attack prerequisites, and the exact version that contains the fix. Don't infer from this post — read the source.
3. Audit your token-rotation logs. CVE-2026-32922 has a behavioral signature. If you have refresh logs going back to early February, you can check whether any rotated token remained accepted past its declared expiry.
4. Re-validate your pair-approve policy. CVE-2026-33579 is a workflow flaw, not just a code flaw. Once you've patched, walk a real high-impact action through the approval path and confirm the second approver requirement actually fires.
5. Subscribe to the security feed. The most useful long-term fix is making sure you don't learn about the next batch from a blog post.

The bigger story

OpenClaw is still a young project. Until this week, the public CVE list could be read in one sitting. After Saturday, that's no longer true — and that's the actual shift worth marking.

Open-source AI agent platforms are now widely-deployed enough to warrant the same scrutiny we apply to web frameworks and databases. That brings real friction: more advisories, more upgrade pressure, more incident reviews. It also brings real value: external researchers actually looking, maintainers actually fixing, version numbers actually meaning something.

A coordinated nine-CVE flood with most of the fixes already in production is not the worst-case version of this story. It's roughly the best-case version. The worst case is an unpatched zero-day in the wild and no advisory pipeline to disclose against. We're not in that universe today.

We will be eventually. Which is why the muscle that's being exercised this week — researcher submits, maintainer patches, release ships, advisory drops, operators upgrade — is exactly the muscle the project needs to have working before it gets tested for real.

Today's a release-notes day. The next one might not be.

Key Takeaways

• OpenClaw is shipping nine CVEs across four days starting March 18, 2026 — the largest single batch since the project's first public release.
• The severity distribution is one critical, six high, two medium. The headline is CVE-2026-25253 ("ClawBleed"), a memory-disclosure flaw in the agent runtime.
• Five of the nine were already patched in version 2026.2.22 (shipped quietly Feb 22) — operators current on releases got the fix nearly a month before the advisory feed.
• Two operator-facing CVEs deserve specific attention: CVE-2026-32922 (token-rotation race in auth) and CVE-2026-33579 (pair-approve self-pairing under crafted sequence).
• This is roughly the best-case shape of a CVE flood: responsible disclosure, patches in production before publication, clear advisory pipeline. The worst case — unpatched zero-day, no disclosure muscle — is the universe to plan against.