{"id":7166,"date":"2026-02-19T12:14:23","date_gmt":"2026-02-19T12:14:23","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=7166"},"modified":"2026-02-19T12:14:23","modified_gmt":"2026-02-19T12:14:23","slug":"six-flaws-found-hiding-in-openclaws-plumbing","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=7166","title":{"rendered":"Six flaws found hiding in OpenClaw\u2019s plumbing"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>Security researchers have uncovered six high-to-critical flaws affecting the open-source AI agent framework<a href=\"https:\/\/www.csoonline.com\/article\/4129867\/what-cisos-need-to-know-about-clawdbot-i-mean-moltbot-i-mean-openclaw.html\" target=\"_blank\" rel=\"noopener\"> OpenClaw<\/a>, popularly known as a \u201csocial media for AI agents.\u201d The flaws were discovered by Endor Labs as its researchers ran the platform through an AI-driven static application security testing (SAST) engine designed to follow how data actually moves through the <a href=\"https:\/\/www.moltbook.com\/\" target=\"_blank\" rel=\"noopener\">agentic AI software<\/a>.<\/p>\n<p>The bugs span several web security categories, including server-side request forgery (SSRF), missing webhook authentication, authentication bypasses, and path traversal, affecting the complex agentic system that combines large language models (LLMs) with tool execution and external integrations.<\/p>\n<p>The researchers also published working proof-of-concept exploits for each of the flaws, confirming real-world exploitability. OpenClaw has published patches and <a href=\"https:\/\/github.com\/openclaw\/openclaw\/security\/advisories\" target=\"_blank\" rel=\"noopener\">security advisories<\/a> for the issues.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Flaws included SSRF paths, auth bypass, and file escapes<\/h2>\n<p>Endor Labs\u2019 disclosure characterized the six OpenClaw vulnerabilities by weakness type and individual severity rather than CVE identifiers.<\/p>\n<p>Several of the issues are <a href=\"https:\/\/www.csoonline.com\/article\/571411\/ssrf-attacks-explained-and-how-to-defend-against-them.html\">SSRF<\/a> bugs affecting different tools, including a <a href=\"https:\/\/github.com\/openclaw\/openclaw\/commit\/c5406e1d2434be2ef6eb4d26d8f1798d718713f4\" target=\"_blank\" rel=\"noopener\">gateway component<\/a> (CVSS 7.6) that accepts user-supplied URLs to establish outbound WebSocket connections. The other two included an SSRF in <a href=\"https:\/\/github.com\/openclaw\/openclaw\/commit\/bfa7d21e997baa8e3437657d59b1e296815cc1b1\" target=\"_blank\" rel=\"noopener\">Urbit Authentication<\/a> (CVSS 6.5) and an <a href=\"https:\/\/github.com\/openclaw\/openclaw\/commit\/81c68f582d4a9a20d9cca9f367d2da9edc5a65ae\" target=\"_blank\" rel=\"noopener\">Image Tool<\/a> SSRF (CVSS 7.6). These SSRF paths were rated medium to high severity because they could allow access to internal services or cloud metadata endpoints, depending on deployment.<\/p>\n<p>Access control failures accounted for another cluster of findings. A webhook handler \u201c<a href=\"https:\/\/github.com\/openclaw\/openclaw\/security\/advisories\/GHSA-4hg8-92x6-h2f3\" target=\"_blank\" rel=\"noopener\">Telnyx<\/a>\u201d designed to receive external events lacked proper webhook verification (CVSS 7.5), enabling forged requests from untrusted sources. Separately, an authentication bypass (CVSS 6.5) allowed unauthenticated users to invoke a protected webhook functionality \u201c<a href=\"https:\/\/github.com\/openclaw\/openclaw\/commit\/ff11d8793b90c52f8d84dae3fbb99307da51b5c9\">Twilio<\/a>\u201d without valid credentials.<\/p>\n<p>The disclosure also detailed a path traversal vulnerability (CVSS not assigned) in <a href=\"https:\/\/github.com\/openclaw\/openclaw\/commit\/3aa94afcfd12104c683c9cad81faf434d0dadf87\" target=\"_blank\" rel=\"noopener\">browser upload<\/a> handling, where insufficient sanitization of file paths could allow writes outside intended directories.<\/p>\n<p>\u201cThe combination of AI-powered analysis and systematic manual validation provides a practical path forward for securing AI infrastructure,\u201d the researchers said. \u201cAs AI agent frameworks become more prevalent in enterprise environments, security analysis must evolve to address both traditional vulnerabilities and AI-specific attack surfaces.\u201d<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Following the data revealed the danger<\/h2>\n<p>To overcome the limitations of \u201ctraditional static analysis\u201d tools that reportedly struggle with modern software stacks where inputs pass through numerous transformations before reaching risky operations, Endor Labs implemented the AI <a href=\"https:\/\/www.csoonline.com\/article\/568049\/top-sast-and-dast-tools.html\">SAST<\/a> approach, which, it claimed, maintains context across these transformations.<\/p>\n<p>This helped the researchers understand \u201cnot only where dangerous operations exist but also whether attacker-controlled data can reach them.\u201d The test engine mapped the full journey of \u201cuntrusted data\u201d, from entry points such as HTTP parameters, configuration values, or external API responses to security-sensitive \u201csinks\u201d like network requests, file operations, or command execution. <\/p>\n<p>Endor Labs said it responsibly disclosed the vulnerabilities to the OpenClaw maintainers, who subsequently addressed the issues, allowing the researchers to publish technical details. The disclosure did not provide extensive mitigation guidance but noted that fixes were implemented across the affected components.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Security researchers have uncovered six high-to-critical flaws affecting the open-source AI agent framework OpenClaw, popularly known as a \u201csocial media for AI agents.\u201d The flaws were discovered by Endor Labs as its researchers ran the platform through an AI-driven static application security testing (SAST) engine designed to follow how data actually moves through the agentic [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":7167,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-7166","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7166"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=7166"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/7166\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/7167"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=7166"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=7166"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=7166"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}