OpenClaw privilege escalation vulnerability

Posted by kykeonaut 5 days ago

513 points | 256 commentspage 4

n1tro_lab 5 days ago|

[flagged]

jeremie_strand 5 days ago|

[dead]

dang 5 days ago||

[stub for offtopicness and general piling-on behavior, which we don't want on this site]

[[attacking project creators when they show up to discuss their work is particularly harmful; please don't ever do that here]]

[[[if you posted any of these, we'd appreciate it if you'd please review https://news.ycombinator.com/newsguidelines.html and stick to the rules from now on]]]

rybosome 5 days ago||

[flagged]

dang 5 days ago||

Please make your substantive points without crossing into personal attack. Your comment would be fine but for the paragraph in the middle where it does that.

https://news.ycombinator.com/newsguidelines.html

rybosome 5 days ago||

Understood, thanks.

dang 5 days ago||

Appreciated!

plestik 5 days ago|||

[flagged]

tomhow 5 days ago|||

We detached this subthread from https://news.ycombinator.com/item?id=47629849 and marked it off-topic.

plestik 5 days ago||

Why?

tomhow 5 days ago||

It breaks several guidelines:

Be kind. Don't be snarky. Converse curiously; don't cross-examine. Edit out swipes.

Comments should get more thoughtful and substantive, not less, as a topic gets more divisive.

Please don't fulminate. Please don't sneer.

Please don't post shallow dismissals, especially of other people's work. A good critical comment teaches us something.

The guidelines still apply, even if you feel negatively towards a project and its creator. Indeed it's even more important to make the effort to heed the guidelines for topics you feel negatively towards (after all, it's easy to be respectful about things we feel positively towards).

https://news.ycombinator.com/newsguidelines.html

plestik 5 days ago||

Thanks for explaining, is this mostly about replying directly to the person involved in the project? Compared to e.g. a comment in a thread about OpenClaw without replying directly to the creator? Just trying to figure out where the line is, I do think snark is a valid form of criticism sometimes but it's your house after all.

tomhow 4 days ago||

That comment would be a guidelines breach on HN, whether or not it was in reply to the project creator. It gives off just the kind of negativity that HN has always aimed to avoid. Even if we don't always succeed in avoiding it, the guidelines represent an ideal that we work to uphold every day.

> Just trying to figure out where the line is

It's not really about a line, it's about the qualitative style of discussion we’re here for. HN is for people who like to build things and work on interesting new projects, and have curious conversations about what they're building. Projects that are new and built in different ways than what has come before will always be easy to criticise from a position of conformity to historical conventions, but if we all thought that way, nothing new would ever be built.

> I do think snark is a valid form of criticism sometimes

Not on HN. Thoughtful criticism is fine, and the very first two words of the “In Comments” section of the guidelines are “be kind”.

> but it's your house after all

That's not how we think about it. We’re custodians of this place and our role is to keep it a healthy place for discussion among intellectually curious hackers. It takes daily work and effort to uphold the guidelines and keep the standards up so that it doesn’t become the hellscape of negativity that it's often stereotyped as being.

plestik 3 days ago||

For me I think this veers dangerously close to tone policing. I don't think you have to always be extremely civil in the face of what you consider moral bankruptcy. But I can also understand that it creates a vicious cycle so I can appreciate your position here.

tomhow 3 days ago||

Thanks for the discussion and (partially) understanding :)

The use of terms like “moral bankruptcy” is exactly what the guidelines ask us to avoid, indeed explicitly so with the phrase “Assume good faith”.

Part of the challenge of participating on HN is to be able to come into contact with people who see and do things differently (including building software projects in a way that's different from the way we consider proper) and find a way to recognize that they are still acting in good faith and deserving of basic courtesy.

inetknght 5 days ago||||

> There used to be a time where people who shipped CVEs took accountability.

I see you haven't heard of Microsoft...

orsorna 5 days ago||||

[flagged]

ua709 5 days ago||||

What time was that and who do we get to blame for Log4j?

lp0_on_fire 5 days ago|||

Have you met these AI companies yet?

rob 5 days ago|||

[flagged]

rdtsc 5 days ago|||

- "OpenClaw, read the code"

- "You're absolutely right. One should read and understand their own code. I did, and it looks great"

TZubiri 5 days ago|||

I'm critical of OpenClaw and even the author to some extent, but I prefer to have nuanced and compartmentalized conversations, on a thread about a specific vulnerability, it's much more productive to talk about the specific vulnerability rather than OpenClaw as a whole. Otherwise we would only have generic OpenClaw conversations and we would only be saying the same thing.

maxbond 5 days ago||

The comment could have been more substantive but it isn't generic or tangential. Discussing a vulnerability ultimately means discussing the failures of process that allowed it to be shipped. Especially with these application-level logic bugs that static analyzers can't generally find, the most productive outcome (after the vulnerability is fixed) is to discuss what process changes we can make to avoid shipping the next vulnerability. I'm sure there's hardening that can be done in OpenClaw but the premise of OpenClaw is to integrate many different services - it has a really large attack surface, only so much can be done to mitigate that, so it's critical to create code review processes that catch these issues.

OpenClaw is probably entering a phase of it's life where prototype-grade YOLO processes (like what the tweet describes) aren't going to cut it anymore. That's not really a criticism, the product's success has over vaulted it's maturity, which is a fortunate problem to have.

fraywing 5 days ago|||

[flagged]

jstanley 5 days ago||

But this is nothing to do with the agent being tricked. This is ordinary old-fashioned code being tricked!

paulhebert 5 days ago|||

But was the code written by an agent? It's agents all the way down

fraywing 5 days ago|||

[dead]

bigstrat2003 5 days ago|||

If you're running OpenClaw, you already threw security and reliability out the window by running LLMs on the command line. It's a bit late to start worrying now.

podgorniy 5 days ago|||

[flagged]

tgv 5 days ago||

Your comment is obviously against the rules, but I read it as: Why are people not more careful? This is some unknown, app, with unknown, unvetted depths, and you only like it because other people say it's shiny and AI. It made you giddy, and you forgot that giving a tool permissions is an invitation to hackers. Well, you went ahead and ignored all common sense, and here we are.

podgorniy 2 days ago||

There are many "right" ways to read my comment. Reading it says more about reader than the writer.

And yes, most probably I violated some spoken/unspoken rules and ready to bear consequences.

Common sense abotu security has shifted significantly. You're (me including) with out common sense of security are in minority today. We're uncommon. Wait till people start questioning such stance.

I just was reading docs on plugin for toddlywiki which makes gives it multiuser support and lan accessibility. The level of awarness of the risks of opening your tw server (i't like 5-ish years ago) to LAN is almost read like a satire from where we're today.

popalchemist 5 days ago|||

[flagged]

LucidLynx 5 days ago|||

[flagged]

ponector 5 days ago||

[dead]

deadbabe 5 days ago|||

[flagged]

butlike 5 days ago|||

Hanlon's Razor

https://en.wikipedia.org/wiki/Hanlon%27s_razor

deadbabe 5 days ago||

That razor is poorly understood. It’s not malice if it can be explained by stupidity. In this case it’s not explained by stupidity, as the guy who made OpenClaw is very smart. Therefore, it can only be malice.

EA-3167 5 days ago||||

In this case I'd say that it was made not to enable that, but in total disregard of its realistic uses and risks. In a sense this is less... deliberate poisoning, and more doing a bad job cutting heroin with fentanyl for distribution. Yeah the result is the same, but the cause is negligence to the point of parody rather than outright malice.

throwatdem12311 5 days ago||

Some people are so stupid it is indistinguishable from evil.

cactusplant7374 5 days ago|||

What reason would Steinberger have for doing that? It was his hobby project.

crazy5sheep 5 days ago|||

[dead]

throwatdem12311 5 days ago||||

You can’t think of a single reason?

Intelligence asset.

Useful idiot.

Plenty of reasons.

asdff 5 days ago|||

He doesn't need a reason. He could have been captured by intelligence after the fact.

8593376393 5 days ago|||

[dead]

hmokiguess 5 days ago|||

[flagged]

neya 5 days ago|||

[flagged]

imiric 5 days ago|||

If you considered using it in the first place, reports of security vulnerabilities wouldn't concern you.

pezo1919 5 days ago|||

“It’s OK to be hacked until everyone is getting hacked.”

mvdtnz 5 days ago|||

[flagged]

equasar 5 days ago|||

[flagged]

tomhow 5 days ago||

You can't comment like this on Hacker News. The guidelines make it clear we're trying for better than this. https://news.ycombinator.com/newsguidelines.html

We detached this comment from https://news.ycombinator.com/item?id=47629849 and marked it off topic.

sbochins 5 days ago|||

[flagged]

dang 5 days ago||

Please don't cross into personal attack. It destroys what this site is for, and you can always make your substantive points without it.

https://news.ycombinator.com/newsguidelines.html

croes 5 days ago||

Didn‘t know that pointing out a lack of accountability is seen as personal attack.

Who wants the fame must also take the blame.

Especially if they create a dangerous tool.

dang 5 days ago||

We don't want mobs on HN. There was very clearly a mob dynamic happening in the replies.

Edit: there was another case of this recently:

https://news.ycombinator.com/item?id=47576107

https://news.ycombinator.com/item?id=47576084

The point is that mob dynamics do more damage to the community than the threads add value, and protecting the community has to be the high-order bit.

pym4n 5 days ago||

Guys, OpenClaw is a toy, that's it!

jeremie_strand 5 days ago||

[dead]

gloosx 5 days ago||

[flagged]

eager_learner 4 days ago||

[flagged]

gos9 5 days ago||

Really? Posting AI generated Reddit post with no sources or anything?

hmokiguess 5 days ago||

The link mentions the CVE, here's the link https://nvd.nist.gov/vuln/detail/CVE-2026-33579

dang 5 days ago|||

Thanks! We've changed the top URL to that from https://old.reddit.com/r/sysadmin/comments/1sbdw29/if_youre_..., but I'll put the latter in the toptext.

dijksterhuis 5 days ago|||

if would be good if we could have the submission including this link at the top

tgv 5 days ago|||

The CVE seems to be real.

blharr 5 days ago||

[flagged]

dgellow 5 days ago||

Flag then move to the next one

throwatdem12311 5 days ago||

As if the non-Reddit links aren’t majority AI slop already.

throwpoaster 5 days ago|

The Ludditism in this thread, and the linked thread, is shocking.

yoyohello13 5 days ago||

We need a new word for people who use the word ‘Luddite’ to refer to ‘reasonable concern over the reckless use of new technology’.

mememememememo 5 days ago||

Yolos?

weakfish 5 days ago|||

Is it Ludditism to not want to get PWNed spending $3k a month?

nickthegreek 5 days ago|||

Setting it up that way is a choice a user would have to make. Just set it up on an oauth or budgeted api and not be an idiot. Setup additional guardrails in OC if you think are necessary.

throwpoaster 5 days ago|||

Yes.

All new technology has issues. Figure it out.

Especially if you're spending $3k per month on inference, have the model fix the agent.

I suppose the idea is to wait for someone else to productize it.

Lazy.

8593376393 5 days ago||

[dead]