What is the OpenClaw zero-click vulnerability?

Oasis Security researchers discovered a zero-click vulnerability in OpenClaw's core gateway system in late February 2026. The attack exploits the fact that browsers don't block cross-origin WebSocket connections to localhost. A malicious website can silently connect to a locally running OpenClaw gateway, brute-force the password (the gateway exempts localhost from rate limiting), auto-register as a trusted device, and gain full admin control - all with no user interaction beyond visiting a webpage. OpenClaw classified it as high severity and released a fix within 24 hours.

How many OpenClaw security vulnerabilities have been found?

As of March 2026, OpenClaw has had multiple significant security issues: CVE-2026-25253 (one-click RCE via token exfiltration, CVSS 8.8), a zero-click localhost takeover (late February), CVE-2026-28462 (path traversal in browser control API), CVE-2026-28468 (authentication bypass in sandbox browser bridge), and CVE-2026-28466 (approval bypass for system.run commands). Additionally, the ClawHavoc campaign identified over 800 malicious skills in the ClawHub marketplace, representing roughly 20% of the total ecosystem.

Should I deploy OpenClaw on AWS Lightsail or my own laptop?

A dedicated cloud server is meaningfully safer than a personal laptop. If OpenClaw is compromised on your laptop, the attacker has access to your personal files, browser sessions, VPN credentials, and everything else on that machine. On an isolated Lightsail instance, the blast radius is limited to that server. AWS's blueprint also includes sandboxing and HTTPS by default. However, you still need to patch the OS, rotate tokens, restrict network access, and avoid installing unvetted skills.

OpenClaw Just Got Easier to Deploy and Harder to Secure

Q: Is OpenClaw on AWS Lightsail secure?

AWS's Lightsail blueprint includes built-in security controls like sandboxing, HTTPS access, device pairing authentication, and automatic snapshots. However, a security engineer who tested the blueprint at launch found it shipped with 31 unpatched security updates including critical kernel vulnerabilities. AWS also recommends users never expose the gateway to the open internet and regularly rotate authentication tokens. The blueprint is more secure than a typical DIY laptop installation, but it is not hardened out of the box.

On March 4, 2026, AWS made OpenClaw a one-click deployment on Amazon Lightsail. Select the blueprint, pick your instance size, pair your browser, and you're running a personal AI agent in the cloud. No command line, no Docker configuration, no SSH setup beyond the initial pairing.

The same week, security researchers at Oasis Security disclosed a zero-click vulnerability in OpenClaw's core gateway that lets any malicious website silently hijack a developer's AI agent. No plugins, no extensions, no user interaction required. Just visiting a webpage.

This isn't a contradiction. It's the tension that's been running through OpenClaw's entire existence: the project is genuinely useful, genuinely popular (250,000+ GitHub stars, more than React), and genuinely dangerous if deployed without understanding what you're exposing.

AWS making it one-click-deployable doesn't resolve that tension. It just means more people are about to encounter it.

What AWS Lightsail actually provides

The Lightsail blueprint is a real improvement over the typical DIY OpenClaw setup. It ships pre-configured with Amazon Bedrock as the default model provider (Claude Sonnet 4.6 specifically), sandboxed agent sessions, one-click HTTPS access, device pairing authentication, and automatic snapshots for backup.

AWS recommends a 4GB memory instance and has published a full user guide covering IAM role setup, Bedrock API access, and messaging app connections. The tone of the announcement is measured - the AWS blog post explicitly notes that running OpenClaw "may cause security threat if you are careless" and recommends never exposing the gateway to the open internet.

That's a more honest framing than OpenClaw typically gets. But "more honest than usual" isn't the same as "secure by default."

Security engineer Gerardo Castro tested the Lightsail blueprint immediately after launch and found it shipped with 31 unpatched security updates, including critical kernel vulnerabilities. The default configuration also exposes the gateway token in plaintext on the dashboard, runs dual-stack IPv4/IPv6 (which can bypass IPv4-only firewall rules), and uses Apache2 as the underlying web server - introducing a secondary attack surface.

None of this is unusual for a cloud blueprint. AWS provides the infrastructure; security hardening is the user's responsibility. But the gap between "one-click deploy" as a user expectation and "patch your kernel, lock down your firewall, rotate your tokens" as a security requirement is exactly the kind of gap that leads to incidents.

The vulnerability timeline keeps growing

The zero-click exploit disclosed by Oasis Security in late February is the most recent, but it's far from the only one. Here's the current state of OpenClaw's security track record:

CVE-2026-25253 (January 2026, CVSS 8.8): A one-click remote code execution flaw in the gateway's Control UI. The UI accepted a gatewayUrl parameter from the URL without validation and auto-connected, transmitting the authentication token to whatever server was specified. Security researcher Mav Levin at DepthFirst chained this into a full RCE exploit that completed in milliseconds after a single link click. Patched in version 2026.1.29, but all prior versions were vulnerable. The exploit worked even on instances configured for localhost-only access - the victim's own browser handled the outbound connection.

Zero-click localhost takeover (late February 2026): Oasis Security found that a malicious website could silently open WebSocket connections to a locally running OpenClaw gateway. Because browsers don't apply same-origin policy to WebSocket connections to localhost, and because OpenClaw's rate limiter completely exempted localhost traffic, the attack script could brute-force the gateway password at hundreds of attempts per second with no throttling. Once authenticated, it auto-registered as a trusted device (the gateway auto-approves pairings from localhost without prompting the user) and gained full admin control. The root cause: three flawed assumptions baked into the architecture - that localhost connections are inherently trustworthy, that browsers can't reach local services cross-origin, and that rate limiting doesn't need to apply to loopback addresses.

CVE-2026-28462 (March 2026): Path traversal in the browser control API. Attackers with API access could write files outside intended temp directories via POST endpoints. Patched in version 2026.2.13.

CVE-2026-28468 (March 2026): Authentication bypass in the sandbox browser bridge server. Local attackers could enumerate tabs, retrieve WebSocket URLs, execute JavaScript, and exfiltrate cookies and session data from authenticated browser contexts. Patched in version 2026.2.14.

CVE-2026-28466 (March 2026): Approval bypass for system.run commands. Authenticated gateway clients could inject approval control fields to execute arbitrary commands on connected hosts, bypassing the exec approval mechanism. Patched in version 2026.2.14.

That's five significant security issues in roughly two months - and these are the ones that were found and disclosed. The project has 400,000+ lines of code across 52+ modules. Nobody has audited all of it.

The skills marketplace is a supply chain problem

The vulnerabilities above are all in OpenClaw's core gateway. But the skills marketplace is a separate, arguably worse, attack surface.

Koi Security audited ClawHub (OpenClaw's community skill repository) and found 341 malicious skills in their initial scan. By their February 16 update, the number had grown to over 824 across an expanded registry of 10,700+ skills. Bitdefender's independent analysis put the figure at approximately 900 - roughly 20% of the total ecosystem.

The campaign, tracked as ClawHavoc, was coordinated: 335 of the original 341 malicious entries traced back to a single operation, primarily delivering Atomic macOS Stealer (AMOS). OpenClaw has since partnered with VirusTotal to scan ClawHub skills for malware, but the fundamental problem remains - skills inherit the permissions of the agent runtime, and most users install them without reviewing the source code.

This matters for the AWS Lightsail discussion because one of the first things new OpenClaw users do is browse skills to extend their agent's capabilities. AWS's blueprint doesn't vet which skills you install.

The exposure is massive and growing

The number of OpenClaw instances reachable from the open internet tells the story of how quickly deployment outpaced security awareness.

Censys tracked growth from roughly 1,000 to over 21,000 publicly exposed instances between January 25 and January 31, 2026 - a single week. Bitsight observed more than 30,000 exposed instances across a broader window. Security researcher Maor Dayan identified 42,665 exposed instances, of which 5,194 were actively verified as vulnerable. 93.4% of those had authentication bypass conditions.

Honeypot data from Terrace Networks confirmed that automated exploitation scanning began within hours of the initial Hacker News post in late January. This wasn't targeted - it was broad, automated, and ongoing.

The geographic distribution spans 52 countries, with the US and China hosting the largest concentrations. 98.6% of deployments run on cloud or hosting infrastructure. Many use reverse proxies or Cloudflare Tunnels for remote access, but misconfigurations frequently negate their protective value.

AWS Lightsail will add to this total. The one-click blueprint reduces setup friction, which is genuinely useful. But it also removes the "do I understand what I'm doing?" friction that previously served as an informal security filter.

Lightsail vs laptop: the right comparison

Despite all of the above, deploying OpenClaw on Lightsail is meaningfully safer than running it on your laptop - which is how most people currently run it.

On a laptop, a compromised OpenClaw agent has access to your personal files, browser sessions, saved passwords, VPN credentials, SSH keys, and everything else on the machine. If you're a developer with VPN access to production, every OpenClaw vulnerability becomes a potential supply chain attack on your company.

On a dedicated Lightsail instance, the blast radius is that server and nothing else. AWS's blueprint adds sandboxing, HTTPS by default, and device pairing authentication. That's a genuine improvement. It doesn't fix the application-level vulnerabilities in OpenClaw itself, but it limits what a successful exploit can reach.

The hierarchy, from least to most secure: running on your personal laptop (worst), running on a self-managed VPS (better, if you harden it), running on AWS Lightsail with the blueprint (better still, especially for non-experts), running inside a container-isolated architecture like NanoClaw's (best currently available for self-hosted agents).

What to actually do

If you're deploying OpenClaw on Lightsail, do these things immediately after setup: run sudo apt update && sudo apt upgrade -y to patch the OS, restrict firewall access to your IP only, rotate the gateway token and store it in an environment file rather than the config, keep the gateway off the public internet, and don't install skills from ClawHub without reviewing their source code.

If you're running OpenClaw on a laptop right now, move it to a dedicated server. Today. The convenience of localhost access is not worth the risk exposure.

If you're evaluating whether to deploy OpenClaw at all - whether on Lightsail, your own infrastructure, or anywhere else - be honest about the maintenance commitment. OpenClaw has had five significant CVEs in two months. Patches ship quickly (the team is responsive), but that means you need to be updating frequently. If you're not going to keep up with security patches, you shouldn't be running it.

The managed deployment options - OpenClawd, DigitalOcean's hardened 1-click, and others - handle patching and security configuration for you. That's the right tradeoff for anyone who wants OpenClaw's functionality without the operational overhead.

And if you don't want to self-host an AI agent at all - if you'd rather have something that works without becoming a side project - that's a valid choice too. The security track record of self-hosted agents in 2026 is not an argument for avoiding AI agents. It's an argument for being thoughtful about where your agent runs and who maintains it.

This is part of a series on OpenClaw and AI agent security. See also: Is OpenClaw Safe?, NanoClaw vs OpenClaw, How Much Does OpenClaw Actually Cost?, and Best OpenClaw Alternatives That Don't Require Coding.