OpenClaw Founder Confirms Vulnerability in Response Letter, 360 Security Cloud Team: Will Continue to Follow Up on OpenClaw Ecosystem Vulnerability Discovery and Repair Support

MaticHoleFiller · 2026-03-23T08:39:13+00:00

The 360 Security Cloud team discovered and confirmed an unauthenticated upgrade vulnerability in OpenClaw Gateway that could lead to system crashes. In response to security risks targeting intelligent agents, 360 has launched corresponding security detection and protection solutions, emphasizing an "AI overseeing AI" strategy, and will continue to monitor the remediation and defense efforts for this vulnerability.

MaticHoleFiller

2026-03-23 08:39:13

Abstract generation in progress

Sina Tech News, March 22 — Recently, the 360 Security Cloud Team received an official email from Peter, the founder of OpenClaw. In his reply, Peter officially confirmed the exclusive discovery of an uncredentialed WebSocket upgrade vulnerability in OpenClaw Gateway. Currently, 360 has reported this high-risk vulnerability to the National Vulnerability Database (CNVD) to help cut off the source of risk across the entire network as quickly as possible.

This confirmed WebSocket uncredentialed upgrade vulnerability is a zero-day (0Day) flaw. Attackers can exploit this vulnerability to silently bypass permission authentication via WebSocket, gaining control of the agent gateway, which could lead to resource exhaustion or total system crash.

This vulnerability also serves as a reminder to the industry: as intelligent agents evolve from “dialogue tools” to “execution systems,” their security risks are rapidly extending from the model layer to the interface layer, skill invocation chain, and system permissions layer. Publicly exposed interfaces, malicious skill poisoning, prompt injection, and lack of audit mechanisms are becoming common hidden dangers in the industry’s “shrimp farming” process. As Zhou Hongyi, founder of 360 Group, previously pointed out, the era of intelligent agents requires adhering to “model management,” using security capabilities to monitor and constrain the entire operation of intelligent systems.

In response to these risks, 360 has established a core strategy of “Supervising AI with AI, Governing Skills with Skills,” and has launched intelligent agent deployment security testing and risk assessment tools (known as “360 Security Cloud·Lobster Guard”) for enterprises and developers. These tools enable precise identification of exposure points, high-risk vulnerabilities, and malicious skill risks in the operating environment. Additionally, 360 has introduced an all-in-one solution for individual users called “360 Security Lobster” and its built-in component “360 Lobster Guard,” which, through isolated operating environments and strict permission control mechanisms, significantly reduces security uncertainties during local use of intelligent agents.

The 360 Security Cloud Team states that in the future, 360 will continue to support vulnerability discovery and remediation within the OpenClaw ecosystem and promote practical defense measures for intelligent agent applications.

View Original

This page may contain third-party content, which is provided for information purposes only (not representations/warranties) and should not be considered as an endorsement of its views by Gate, nor as financial or professional advice. See Disclaimer for details.