A CVSS 9.4 out of 10. That is the severity rating on CVE-2026-32916, a vulnerability in OpenClaw that allowed anyone on the network to silently take full administrative control of a user's AI agent - no login, no credentials, no interaction required.
OpenClaw, for the unfamiliar, is an open-source AI agent that connects to messaging apps like WhatsApp, Telegram, Slack, and Discord, then acts on your behalf: sending emails, running terminal commands, managing files, browsing the web, and controlling whatever services you have linked to it. It went viral earlier this year, racking up an estimated 180,000 developers. Users extend its capabilities through "skills" - modular packages published to ClawHub, OpenClaw's community marketplace.
That plugin system is exactly where the security broke down.
How the Attack Worked
The vulnerability lived in OpenClaw's plugin subagent routes. When a third-party plugin handled requests, it funneled them through a synthetic operator client that carried broad administrative permissions. The problem: those routes did not check whether the person making the request was actually authenticated.
An attacker who could reach the OpenClaw instance over the network - trivial for internet-facing deployments - could send requests directly to plugin-owned endpoints and have them executed with full admin privileges. That meant deleting user sessions, executing arbitrary agent actions, and potentially chaining into whatever services the agent had access to. Email, file storage, terminal access, messaging - all of it.
The attack was silent. No alerts, no user-facing indicators. The agent just did what it was told by someone who should never have been able to talk to it.
Who Was Exposed
The vulnerability affected OpenClaw versions 2026.3.7 through 2026.3.10. Anyone running those versions with third-party or custom plugins that exposed subagent routes was at risk. Internet-facing deployments and internal setups with permissive network policies were the most obvious targets.
The fix landed in version 2026.3.11, published March 31. If you are still running an older version, updating should be the first thing you do today. Security researchers are also recommending that affected users assume compromise and audit their connected services for unauthorized activity.
The Bigger Problem with AI Agents
This is not just an OpenClaw story. It is a preview of what happens when we give AI agents broad system access and then secure the plumbing the same way we secured web apps in 2008.
OpenClaw's entire value proposition is that it can do things on your behalf across multiple services. That is also what makes a vulnerability this severe so dangerous. A compromised web app leaks data. A compromised AI agent with terminal access and email permissions can actively do damage.
The rush to ship agentic AI tools has consistently outpaced the security work needed to make them safe in production. OpenClaw is open-source and relatively transparent about its issues. The scarier question is what similar flaws exist in closed-source agent platforms where security researchers cannot even look at the code.