ffsdeploy
OpenClawSecurity

OpenClaw Security Guide: CVEs, Risks, and How to Deploy Safely

ffsdeploy·

OpenClaw is the most forked AI agent framework on GitHub. That popularity means it's also the most targeted. We've shipped hundreds of agents built on OpenClaw, and we've learned the hard way that popularity and security are inversely proportional if you're not careful.

This isn't scare tactics. OpenClaw is solid at its core. But we've seen enough misconfigured deployments, unpatched versions, and prompt injection exploits in the wild to know that knowing the risks matters. Here's what we've learned.

The CVE Timeline

OpenClaw has had three significant vulnerabilities disclosed. If you're running an older version, you're exposed.

CVE-2026-25253: Prompt Injection via Tool Call Parameters (Critical, CVSS 9.1)

Affected versions: < 2.3.1

The tool execution layer didn't sanitize user input passed to external APIs. If your agent called external tools with user-controlled parameters (database queries, API endpoints, function names), an attacker could inject malicious instructions that the tool itself would execute. We've seen this chain from a chatbot integration all the way through to database access.

Fix: Upgrade immediately. Version 2.3.1+ validates all tool parameters against a schema before execution.

CVE-2026-18847: Memory Leak in Long-Running Conversation Sessions (Medium, CVSS 5.3)

Affected versions: < 2.2.0

Conversation contexts weren't being garbage collected after sessions ended. If you had long-running agents or high-throughput chat applications, memory would climb steadily. We've seen deployments hit OOM and crash after 72 hours of operation.

Fix: Patch to 2.2.0+. Also set contextRetentionWindow to a reasonable value in your config (see the checklist below).

CVE-2026-31102: SSRF Through Webhook Configuration (High, CVSS 7.8)

Affected versions: < 2.3.4

Webhook URLs weren't validated. You could point a webhook at internal services (like 169.254.169.254, or localhost:6379 to hit Redis). The agent would faithfully POST to those endpoints on events. This opened paths to internal network reconnaissance and data exfiltration.

Fix: Patch to 2.3.4+. Webhook URLs are now validated against a blocklist of internal ranges.

Common Misconfigurations We've Seen

CVEs catch the headlines. Misconfigurations catch your agents.

  • Unrestricted tool access: Giving agents access to tools they don't need. If your customer service bot needs to query a database, it doesn't need access to file system operations.
  • Missing rate limits: No throttling on token generation or tool calls. An attacker spins up a loop, your bill spins up with it.
  • Exposed admin endpoints: Management APIs with weak or no authentication. We've found /admin/config endpoints live on the internet with default credentials.
  • Overly permissive CORS: Allowing any domain to call your agent API. You're now the vector for client-side attacks.
  • No output filtering: Raw agent responses exposed to users. If your agent hallucinates personal data or leaks system information, it goes straight through.

The Production Security Checklist

We run through this for every agent we deploy. It's not optional.

  • Pin your OpenClaw version. Don't use major version ranges. Update on a schedule, not automatically.
  • Enable tool call sandboxing. Run tools in isolated processes or containers. Never in-process.
  • Set token budgets. Cap tokens per request, per session, per day. Hard limits.
  • Configure rate limiting. Per IP, per user ID, per endpoint. Different tiers for different use cases.
  • Use environment-specific API keys. Prod keys are different from staging. Rotate them regularly.
  • Enable audit logging. Log every tool call, every config change, every API key access. Ship logs somewhere immutable.
  • Set up output filtering. Check agent responses for patterns: email addresses, API keys, database connection strings, PII. Block and log suspicious outputs.
  • Restrict network access. Run agents in VPCs. Allowlist external endpoints. No SSRF means no surprise connections to internal services.
  • Monitor for prompt injection patterns. Track requests that contain keywords like "ignore", "pretend", "forget your instructions", "system prompt". Alert on spikes.
  • Regular dependency audits. Run npm audit or equivalent. Have a process to test and merge security updates within 48 hours.

A Secure Configuration Example

Here's what a hardened OpenClaw config looks like:

agent:
  version: "2.3.4"
  name: "customer-support-bot"

execution:
  sandbox: true
  sandboxType: "docker"
  timeout: 30s

tokenBudget:
  perRequest: 4000
  perSession: 50000
  perDay: 500000

rateLimit:
  requests:
    perIP: 100/minute
    perUser: 500/hour
  tokens:
    perIP: 100000/minute
    perUser: 1000000/hour

tools:
  enabled:
    - "database_query"
    - "customer_lookup"
  disabled:
    - "file_system"
    - "shell_execution"

  database_query:
    allowedQueries:
      - "SELECT"
      - "WHERE"
    blockedPatterns:
      - "DROP"
      - "DELETE"
      - "--"
      - "/*"

secretsManagement:
  provider: "vault"
  rotationIntervalDays: 30

audit:
  enabled: true
  destination: "splunk"
  includeToolCalls: true

outputFiltering:
  enabled: true
  patterns:
    - "\b[A-Za-z0-9._%+-]+@[A-Za-z0-9.-]+\.[A-Z|a-z]{2,}\b"  # emails
    - "AKIA[0-9A-Z]{16}"  # AWS keys
    - "sk_live_[0-9a-zA-Z]{32}"  # Stripe keys
  action: "redact"

That's the skeleton. Your specific config will vary based on what tools your agent needs. The principle stays: tight by default, expanded only where necessary.

Safe Deployment Architecture

Configuration is half the battle. Architecture is the other half. We run agents behind a reverse proxy, always.

Load Balancer (with WAF)
  └── Reverse Proxy (NGINX, rate limiting, auth)
        └── Agent Container (isolated, limited resources)
              └── Tool Sandbox (separate container per tool call)

Secrets: HashiCorp Vault (never in config, environment, or logs)
Logs: Splunk/DataDog (immutable, encrypted at rest)
Metrics: Prometheus (watch for token spend, error rates, latency)
Alerts: PagerDuty (prompt injection patterns, OOM events, auth failures)

The reverse proxy catches malformed requests. The sandbox catches tool escapes. Vault keeps secrets out of your codebase. Logs keep you honest.

What We Do Differently

We've learned that every OpenClaw deployment is different. So we built a configurator that bakes in these security defaults. You choose your threat model (is this internal? customer-facing? high-stakes transactions?), and we strip back the permissions.

No guessing. No CVEs hiding in your config.

Check it out at /configure.