360 Intelligent Agent discovered a high-risk vulnerability in OpenClaw, affecting 170,000 instances worldwide

A multi-agent collaborative vulnerability hunting system under China 360 Digital Security Group found a high-severity vulnerability in the AI agent tool OpenClaw, which has been confirmed by China’s National Information Security Vulnerability Database (CNNVD). The vulnerability affects more than 170,000 publicly accessible instances across over 50 countries and regions worldwide. It enables attackers to bypass all platform tool security policy controls and directly steal sensitive server information using only basic group chat member permissions.

Core of the vulnerability: Structural blind spot in the MEDIA protocol

360 security researchers named the issue “MEDIA protocol Prompt injection bypass tool permission information disclosure local file vulnerability.” Its danger stems from a fundamental design flaw in the OpenClaw architecture.

The MEDIA protocol runs in the post-processing layer, located after the platform’s tool policy control mechanisms. Therefore, it can fully bypass all tool invocation restrictions. This means that even if an administrator has explicitly disabled all tool invocations in OpenClaw, attackers can still exploit this vulnerability using only basic group chat member permissions—no special authorization required—to directly steal sensitive local files from the server.

This “post-processing layer bypass” design flaw renders traditional tool allowlist protection strategies completely ineffective. Attackers can use automated tools to launch large-scale scanning attacks against the 170,000-plus exposed instances worldwide, and it may also serve as an initial foothold for subsequent intrusions.

OpenClaw’s global surge and China’s current adoption status

OpenClaw was open-sourced by Austrian engineer Peter Steinberger in November 2025. It is a free AI agent program that can send instructions via instant messaging apps such as WhatsApp to independently control computer applications, web browsers, and smart home devices. Here are key data points on its global adoption:

China has the largest user base globally: According to analysis by New York–based SecurityScorecard, active users in China are about twice as many as the United States, which ranks second

A business ecosystem is forming rapidly: OpenClaw installation and configuration services have appeared on China’s tech platforms, priced from $7 to $100

Localized derivative versions: Chinese-customized variants such as DuClaw, QClaw, and ArkClaw have rolled out one after another

Government subsidy support: Local governments in multiple places have pledged subsidies for companies adopting virtual assistants

Scale of security threats: More than 50 countries worldwide, and over 170,000 publicly accessible OpenClaw instances, are all facing this vulnerability threat

Double institutional warnings: Security agencies and the national vulnerability database respond in sync

Before 360 disclosed the vulnerability, two Chinese national cyber security agencies had already issued warnings, stating that OpenClaw deployments carry “major risks,” including the possibility of remote control and data exfiltration. They also released detailed security recommendations covering individual users through enterprises and cloud service providers.

CNNVD’s official confirmation means this security threat has been upgraded from a warning-level assessment to a validated attack surface. Security researchers noted that because all affected instances are publicly accessible and the group chat entry point has a low barrier to entry, large-scale automated attacks are highly feasible. Rapid remediation is therefore the most urgent priority task at present.

Frequently Asked Questions

Why is the MEDIA protocol vulnerability in OpenClaw particularly dangerous?

The MEDIA protocol runs in the post-processing layer, after the platform’s tool policy controls. It can completely bypass all configured tool disable rules. Even if an administrator disables all tool invocations, attackers can still exploit this vulnerability—requiring only basic group chat member permissions—to directly read sensitive local files on the server, causing traditional tool security policies to become completely ineffective.

How should affected OpenClaw instances respond urgently?

Before an official patch is released, it is recommended to take the following emergency mitigation measures: limit direct exposure of OpenClaw instances to the public internet; pause the relevant functions involving the MEDIA protocol; implement strict identity verification controls for group chat member access; and continuously monitor servers for abnormal access behavior to sensitive directories.

What impact does this vulnerability have on OpenClaw environments deployed by enterprises and governments?

CNNVD’s official confirmation means this vulnerability has a highly credible attack feasibility. For enterprises that have deployed OpenClaw in production environments (including companies that are recipients of subsidies from local Chinese governments), immediate security auditing is required to assess the actual degree of exposure of data leakage—especially for instances where group chat functionality is enabled and the MEDIA protocol is in an enabled state.