HN
Today

If you're running OpenClaw, you probably got hacked in the last week

A Reddit post warns that many users of the AI agent 'OpenClaw' may have been hacked due to a critical vulnerability, sparking widespread concern over AI tool security. The story gained traction as a stark reminder of the inherent risks when deploying powerful, internet-exposed software without adequate safeguards. HN commenters debated the severity, the role of user negligence, and even the potential for malicious intent behind the software's creation.

72
Score
26
Comments
#9
Highest Rank
6h
on Front Page
First Seen
Apr 3, 5:00 PM
Last Seen
Apr 4, 2:00 AM
Rank Over Time
91620131312

The Lowdown

The Hacker News community grappled with a Reddit post claiming that users running the AI agent "OpenClaw" were likely compromised in the preceding week. Despite the original Reddit link returning a "blocked" message, the discussion centered on a critical security flaw in OpenClaw that allowed unauthorized administrative access.

  • OpenClaw, an AI agent, reportedly suffers from CVE-2026-33579, a vulnerability enabling unauthorized admin privileges due to insufficient authorization checks.
  • The primary risk arises when OpenClaw instances are publicly exposed on the internet, a configuration believed to affect a significant portion of its user base.
  • Commenters highlighted that OpenClaw is known for having numerous security issues, questioning the prudence of deploying such a tool, especially with broad system access.
  • The discussion also touched on the broader implications of giving AI agents extensive system permissions and the potential for user ignorance to exacerbate security risks. This incident serves as a potent case study on the dangers of deploying powerful, internet-facing software with known security weaknesses, particularly in the nascent field of AI agents, and underscores the ongoing tension between rapid innovation and robust security practices.

The Gossip

Vulnerable Visibility Verdict

Users debated whether the title was clickbait. While the vulnerability is real (CVE-2026-33579), many argued the threat only applies to instances exposed to the public internet, which they claimed isn't the default. However, others countered that public exposure was a past default or commonly ignored warning, suggesting a significant attack surface.

OpenClaw's Oversight

Many commenters expressed dismay at OpenClaw's security posture, citing its reported 400+ vulnerabilities and a fundamental flaw where it grants admin access without proper authorization. The discussion questioned the wisdom of installing such a tool with machine-wide access, especially for users who might lack the technical understanding to secure it, highlighting a broader concern about the inherent risks of giving AI agents "free reign."

Source Scrutiny & Suspicions

Initial comments questioned the authenticity of the Reddit post, suspecting it might be AI-generated "slop" due to its lack of direct sources (as the original Reddit link was blocked). However, other users quickly validated the core claim by pointing to a real CVE entry (CVE-2026-33579) on NIST. A darker theory emerged, suggesting OpenClaw might have been designed with malicious intent or that its creators were unwitting "useful idiots" for intelligence agencies.