OpenClaw Advisory Surge Highlights Gaps Between GHSA and CVE Tracking

OpenClaw, the self-hosted AI agent that went from launch to GitHub's most-starred repository in a matter of weeks, became an unexpected stress test for the CVE ecosystem in late February. Within three weeks of going viral, the project had published over 200 GitHub Security Advisories, but only a portion have corresponding CVE identifiers.

The situation drew attention after vulnerability intelligence firm VulnCheck submitted a request in the CVE Project researcher working group to call “DIBS” on 170 OpenClaw advisories without CVE IDs. The company said several customers and members of the security community had asked about CVE assignment for the issues.

"In response to client interest in these types of issues, we are investigating capability development opportunities across an array of OpenClaw vulnerabilities and would love to ensure there are CVEs for these vulnerabilities before they are weaponized," VulnCheck VP of Research, Caitlin Condon said.

The request set off a discussion inside the CVE working group about how the DIBS coordination process should be used.

VulnCheck Calls DIBS on OpenClaw Vulnerabilities#

DIBS is an informal coordination signal used among CVE Numbering Authorities. When a CNA calls DIBS on a vulnerability, it indicates that the organization intends to evaluate the issue and potentially assign a CVE identifier.

VulnCheck attempted to apply the mechanism to a large set of OpenClaw advisories. The request cited more than 200 GHSAs published within roughly three weeks and included a list of 170 advisories that did not yet have CVE identifiers.

The company had already reached out to two OpenClaw maintainers. One didn't respond. The other replied: "GHSA's are fine at this stage, thanks."

MITRE's TL-Root pushed back on the request: "Dibs is about identifying a vulnerability that meets the 5.3.1 criteria. The existence of many GHSAs from one Supplier does not mean that Dibs can be repurposed to categorize a Supplier, instead of a vulnerability, as 'hot.'"

The issue was later closed, with VulnCheck acknowledging that a mass DIBS request was likely not the right format. CVE assignment for individual advisories may still happen through other paths.

Meanwhile, OpenClaw usage has grown rapidly as a platform that can execute tasks across multiple services and environments. The project has attracted a large developer audience and extensive researcher attention.

The repository’s security advisory page now lists 255 disclosures. Many describe issues involving command execution controls, authorization checks, allowlist enforcement, or plugin boundaries.

Automation platforms that interact with external services and run commands on behalf of users tend to expose many security surfaces. When researchers begin systematic review, the number of reported issues can grow quickly. In this case, the OpenClaw advisories are putting a spotlight on a shift that has been happening in vulnerability disclosure even before the generative AI boom began reshaping the open source ecosystem.

GitHub Advisories Challenge CVE-Centric Tracking and Visibility#

GHSA is frictionless for maintainers. A researcher reports, the maintainer publishes, with no external coordination required. Requesting a CVE means going through a CNA, formatting metadata, and waiting. Many projects now default to GHSA-only and request CVEs later, or not at all.

The problem is that most enterprise security tooling, i.e. vulnerability scanners, SBOM tools, patch management systems, and compliance frameworks, are built around CVE. A vulnerability disclosed only as a GHSA may be invisible to all of it.

Both systems have increasingly been operating in parallel. Some vulnerabilities receive both identifiers. Others appear only in GHSA form.

The scale of the gap between advisories and downstream visibility is significant. A 2024 investigation from UC Irvine found that as of April that year, the GitHub Advisory Database contained more than 213,000 unreviewed advisories, with fewer than six being reviewed per day. At that pace, the researchers estimated it would take roughly 95 years to clear the queue. Advisories that remain unreviewed do not trigger Dependabot alerts, meaning downstream projects may never be notified that they depend on vulnerable packages.

More recent academic work suggests the imbalance persists. A 2026 study led by researchers at Brazil’s Fluminense Federal University analyzed more than 288,000 GitHub Security Advisories. They found that only about 8% had been GitHub-reviewed, while the rest remained unreviewed records in the database.

The OpenClaw advisory surge is just one example how quickly disclosures can accumulate in that system, and it has prompted independent tracking efforts.

Security engineer Jerry Gamblin, founder of RogoLabs, actually used OpenClaw to build an OpenClaw CVE and Security Advisory Tracker that monitors the project’s advisories across multiple sources, including the GitHub Advisory Database, repo-level advisories, and the CVE Project’s cvelistV5 repository.

The tracker updates hourly and reconciles GHSA records with CVE publication status. It includes advisories listed on the repository’s security page that have not yet appeared in the GitHub Advisory Database.

The project also tracks naming transitions. OpenClaw previously appeared under the names Clawdbot and Moltbot, which affects how vulnerabilities are indexed across databases.

It now includes fixed-version data as well, after feedback from researchers who pointed out that advisory counts alone can be mistaken for unpatched exposures.

OpenClaw Disclosures Highlight Divide Over CVE Reliance#

Gamblin’s tracker is one way researchers have started keeping track of the surge in OpenClaw disclosures as they appear across different advisory systems.

The rejected DIBS request quickly drew attention across the security community.

Josh Bressers, VP of Security at Anchore, contends that MITRE was being overly procedural when someone was willing to do the work.

“This feels like one of those situations where being overly pedantic is silly,” Bressers wrote on LinkedIn.

“The TL;DR is there are a lot of vulnerabilities in OpenClaw that are being tracked by GitHub, but aren't getting CVE IDs.”

Others questioned whether CVEs are necessary when advisories already exist in publicly accessible databases.

Alexandre Dulaunoy, head of CIRCL’s security research team, argued that vulnerability tracking increasingly relies on multiple sources rather than a single centralized identifier.

"Maybe we should rethink this completely," Dulaunoy said. "Why do you need a CVE IDs when you have already GHSAs? These are documented and accessible. We should stop thinking in a unique centralized sources and maybe forget about this hierarchical model.

"GHSAs are great and valuable source, if another authority decides to say the opposite, is this really important? if all the sources are considered equal and important to consider."

Leonardo Lanzi, head of GARR-CERT, made a similar point in the discussion.

"Once again, it's about avoiding the single point of failure that all of us 'differently young' people have known for decades," Lanzi said. "The same should apply to The vulnerabilities archive.. although it seems that it is still not clear for the DNS either."

Bressers agreed that relying on identifiers beyond CVE may be the long-term direction for vulnerability disclosure, but noted that many organizations still disregard vulnerabilities that lack a CVE.

"I find the more mature vulnerability programs are using non CVE IDs on a regular basis," he said.

"I think it's currently important unfortunately. There are a lot of groups I see that disregard anything that isn't a CVE. It's an annoying reality."

This brief exchange on LinkedIn reflects the current divide in the ecosystem. Development communities frequently rely on GHSA or ecosystem-specific advisories. Many enterprise security tools still prioritize CVE identifiers.

The surge in OpenClaw disclosures offers an early look at how vulnerability reporting, identifier assignment, and security tooling may interact as AI-driven development continues to accelerate code creation. OpenClaw did not introduce this dynamic. It produced enough advisories in a short period to make the fragmentation easier to see.

AI agent platforms are likely to attract increasing scrutiny as adoption grows. Projects in that space are combining automation, integrations, and extensibility in creative ways that nobody could have anticipated. That architecture creates many boundaries worth reviewing. As researchers begin examining those systems more closely, bursts of vulnerability disclosures like the one around OpenClaw may become more common.