OpenClaw privilege escalation vulnerability

Original Article ↗ Hacker News Discussion ↗

Vulnerability details

  • CVE-2026-33579 is described as a privilege-escalation bug in OpenClaw’s pairing/approval logic.
  • The core issue: an earlier fix passed caller scopes into a device-approval check for the gateway RPC path, but the /pair approve plugin command path did not.
  • When callerScopes was missing, the core logic “failed open,” letting a client with limited permissions approve a pending device request for broader scopes (including admin).
  • Exploit path (per project maintainer): requires an already-paired client with gateway access and command ability, which can then escalate from pairing/write to admin.
  • It’s argued this is not literally “any random Telegram/Discord message gets admin,” though any command-capable integration reaching /pair approve could trigger it.

How exposed are instances?

  • Multiple comments question claims that “135k instances are public” and “63% have zero auth,” noting no credible source cited and that the original Reddit post was removed.
  • Others argue even conservative numbers would still mean a large, serious exposure.
  • Disagreement over defaults:
    • Some say binding to 0.0.0.0 was default for some services until recently.
    • Others insist documentation always warned against public exposure and most users are single-user or behind auth/VPN.
  • Overall: scale of real-world compromise is unclear and statistics are contested.

Security posture and codebase

  • Strong criticism that OpenClaw is “vibe-coded” bloat: millions of lines, very fast commit rate, and ~1.8 CVEs/day since launch (per an external tracker mentioned in-thread).
  • Some argue integrating with many tools inherently enlarges the attack surface, even with good engineering.
  • Suggestions: run on VPS/VMs, separate Unix users, kernel-level sandboxing (Landlock/Seccomp/eBPF, macOS sandbox-exec), strict network/filesystem isolation.
  • There is mention of industry partners (large tech companies) helping harden security and of NemoClaw as a security wrapper.

Use cases and enthusiasm vs skepticism

  • Enthusiastic users describe:
    • Agentic cron jobs and orchestrating other agents.
    • Civic-data scraping, gym slot booking, home automation, media server control.
    • Long-running code-generation and deployment tasks.
  • Many refuse to connect personal email/accounts, keeping instances isolated with limited blast radius.
  • Skeptics question why anyone would give such a system broad access, call it a “toy,” or say anyone running it has already accepted major risk.

Broader themes and moderation

  • Broader worries: LLMs as tireless attackers, “Internet of insecure things,” and that casual users don’t understand the risks.
  • Counterpoint accusations of “Ludditism”; some say all new tech is rough and people should “figure it out.”
  • HN moderators intervene against personal attacks and mob behavior, emphasizing civil, substantive criticism.