OpenClaw, as we’ve previously reported, has widely known security issues. From the beginning, OpenClaw creator Peter Steinberger has warned potential users on GitHub that “there is no ‘completely secure’ setup.”
Users can grant OpenClaw control over their devices and access to specific apps, local files, and logged-in accounts, allowing it to act on their behalf with full user permissions. That’s the whole point of this agentic AI assistant. That’s why, as security researchers have been warning for months, it’s a significant risk if something goes wrong.
Now, presumably, something went wrong.
According to Ars Technica, OpenClaw developers fixed three high-severity vulnerabilities early last week, the most serious of which – CVE-2026-33579 – scored 9.8 out of 10 on the severity scale. Researchers at AI app-builder Blink found that this flaw allowed anyone with the lowest possible level of access to quietly upgrade themselves to full administrator.
mashable light speed
The mechanics, as Blink describes them, are straightforward. OpenClaw’s device pairing system failed to verify whether the person approving the access request actually had the authority to approve the request. Therefore, an attacker with basic pairing privileges can easily ask for administrator access and approve his own request. The door was, functionally, open from the inside.
How many users were vulnerable to claw setup takeover? Blink researchers reported that about 63 percent of OpenCloud instances connected to the Internet were running without any authentication. On those deployments, an attacker didn’t even need a low-level account to get started – they could walk in off the street and work their way up to administration.
Ars Technica notes that the patch was released on Sunday, April 5, but the official CVE list was not revealed until Tuesday. That two-day lag allowed attackers to start paying attention before most users even knew they were updating.
Blink notes that CVE-2026-33579 is the sixth Pair-related vulnerability disclosed in six weeks in OpenClave – all variations on the same underlying design flaw in how the tool handles permissions. Each patch addressed a specific exploit in isolation rather than reworking the authorization system responsible for all of them.
If you are running OpenClaw, update to version 2026.3.28 immediately. If you were running an older version in the past week, both Ars Technica and Blink recommend considering your instance as potentially compromised and auditing your activity logs for questionable device approvals.
Furthermore, it may be fair to ask whether the productivity gains from such a powerful tool are worth the security risks that come with it.
Subject
artificial intelligence cyber security
<a href