Safety researchers have uncovered six high-to-critical flaws affecting the open-source AI agent framework OpenClaw, popularly generally known as a “social media for AI brokers.” The issues have been found by Endor Labs as its researchers ran the platform via an AI-driven static utility security testing (SAST) engine designed to comply with how knowledge truly strikes via the agentic AI software program.
The bugs span a number of internet security classes, together with server-side request forgery (SSRF), lacking webhook authentication, authentication bypasses, and path traversal, affecting the advanced agentic system that mixes massive language fashions (LLMs) with instrument execution and exterior integrations.
The researchers additionally printed working proof-of-concept exploits for every of the issues, confirming real-world exploitability. OpenClaw has printed patches and security advisories for the problems.
Flaws included SSRF paths, auth bypass, and file escapes
Endor Labs’ disclosure characterised the six OpenClaw vulnerabilities by weak spot kind and particular person severity fairly than CVE identifiers.
A number of of the problems are SSRF bugs affecting completely different instruments, together with a gateway element (CVSS 7.6) that accepts user-supplied URLs to determine outbound WebSocket connections. The opposite two included an SSRF in Urbit Authentication (CVSS 6.5) and an Picture Software SSRF (CVSS 7.6). These SSRF paths have been rated medium to excessive severity as a result of they might permit entry to inner companies or cloud metadata endpoints, relying on deployment.
Entry management failures accounted for one more cluster of findings. A webhook handler “Telnyx” designed to obtain exterior occasions lacked correct webhook verification (CVSS 7.5), enabling cast requests from untrusted sources. Individually, an authentication bypass (CVSS 6.5) allowed unauthenticated customers to invoke a protected webhook performance “Twilio” with out legitimate credentials.
The disclosure additionally detailed a path traversal vulnerability (CVSS not assigned) in browser add dealing with, the place inadequate sanitization of file paths may permit writes outdoors meant directories.
“The mixture of AI-powered evaluation and systematic handbook validation supplies a sensible path ahead for securing AI infrastructure,” the researchers stated. “As AI agent frameworks turn into extra prevalent in enterprise environments, security evaluation should evolve to deal with each conventional vulnerabilities and AI-specific assault surfaces.”
Following the info revealed the hazard
To beat the constraints of “conventional static evaluation” instruments that reportedly wrestle with fashionable software program stacks the place inputs move via quite a few transformations earlier than reaching dangerous operations, Endor Labs applied the AI SAST strategy, which, it claimed, maintains context throughout these transformations.
This helped the researchers perceive “not solely the place harmful operations exist but in addition whether or not attacker-controlled knowledge can attain them.” The check engine mapped the complete journey of “untrusted knowledge”, from entry factors reminiscent of HTTP parameters, configuration values, or exterior API responses to security-sensitive “sinks” like community requests, file operations, or command execution.
Endor Labs stated it responsibly disclosed the vulnerabilities to the OpenClaw maintainers, who subsequently addressed the problems, permitting the researchers to publish technical particulars. The disclosure didn’t present in depth mitigation steering however famous that fixes have been applied throughout the affected elements.
