Self-Hosting Security
OpenClaw Security Warning: 17,500+ Exposed Gateways & RCE Risk
OpenClaw – the self‑hosted AI agent that connects large language models to your browser, inbox and chat apps – has become the fastest‑growing open‑source project of 2026. But that explosive growth has now collided with an equally dramatic security reality.
Over the past days, researchers have disclosed a critical remote‑code‑execution bug (CVE‑2026‑25253), internet‑wide scans of thousands of exposed OpenClaw‑style gateways, and a marketplace full of malicious “skills” designed to steal credentials and crypto.
For anyone running OpenClaw or its forks (Clawdbot, Moltbot) on a home server, VPS or small office network – including DoVPN readers who self‑host VPNs and media stacks – this is a wake‑up call. Local does not automatically mean safe.
From weekend hack to 100,000+ stars – and a much bigger attack surface
OpenClaw’s appeal is clear. It runs where you choose – laptop, homelab, or VPS – and connects AI models like Claude and GPT‑4 to browsers and messaging apps so agents can actually do things: fill forms, check flights, manage email, post to social feeds, and more.
According to the project’s own launch blog, OpenClaw grew from a “WhatsApp Relay” side project into an “open agent platform that runs on your machine and works from the chat apps you already use”, hitting over 100,000 GitHub stars and 2 million site visitors in a single week.
The viral trajectory
- OpenClaw accumulated around 157,000 GitHub stars in 60 days, with peak bursts of more than 34,000 stars in 48 hours.
- The project went through multiple renames (Clawd, Moltbot, Clawdbot) before settling on OpenClaw in late January 2026.
That kind of virality is rare – and it attracted not just power users and indie hackers, but also security researchers and opportunistic attackers.
CVE‑2026‑25253: a one‑click RCE in the OpenClaw gateway
The first major red flag was a critical remote‑code‑execution (RCE) vulnerability in the OpenClaw gateway, assigned CVE‑2026‑25253.
Asset‑discovery company RunZero describes the bug as follows:
- The flaw affects OpenClaw’s personal assistant / gateway component and allows a remote, unauthenticated attacker one‑click RCE via authentication token exfiltration over WebSocket.
- Successful exploitation can lead to complete system compromise of the host running the gateway.
- All OpenClaw versions before 2026.1.29 are affected; version 2026.1.29 is the first release with a patch.
In practice, that means an exposed OpenClaw gateway – especially one bound to a public IP without extra access controls – can be turned into a foothold for an attacker who then controls the same machine that stores your AI agent’s memory, browser sessions, and often API keys for providers like OpenAI, Anthropic or Google.
17,500+ exposed instances: what internet‑wide scans revealed
Even before CVE‑2026‑25253 became public, security teams were asking a simple question: how many OpenClaw‑style agents are sitting on the public internet?
A large‑scale scan by Hunt.io looked at OpenClaw, Clawdbot and Moltbot control panels and found:
- More than 17,500 exposed instances vulnerable to CVE‑2026‑25253.
- The exposed web control panel was typically reachable on default port 18789, but also on ports 80, 443, 18888, 8080 and others.
- Clawdbot Control accounted for 68.9% of deployments, Moltbot Control for 22.3%, and the original OpenClaw Control for 8.8%.
- Instances were spread across 52 countries, with the highest concentrations in the United States (35.6%) and China (25.9%).
- 98.6% of exposed systems ran on commercial cloud or hosting infrastructure, primarily DigitalOcean, Alibaba Cloud and Tencent.
In other words: most OpenClaw deployments are not quietly humming away on a Raspberry Pi behind a simple home router. They are internet‑facing servers in data centres, directly accessible to anyone who can guess or scan the right port.
ClawHub malware: 341 malicious skills
At the same time as gateway vulnerabilities were surfacing, another problem appeared in the OpenClaw ecosystem: malicious third‑party skills.
ClawHub, a marketplace designed to make it easy to install community‑built OpenClaw skills, was audited by Koi Security. Out of 2,857 skills reviewed, 341 were found to be malicious – an 11.9% malicious rate.
Key findings from that audit:
- The majority participated in a campaign dubbed ClawHavoc, using fake “Prerequisites” sections to trick users into installing malware.
- On Windows, users were told to download a zip file containing a trojan with keylogging capabilities.
- On macOS, users were instructed to run obfuscated shell scripts delivering Atomic Stealer (AMOS).
- Malicious skills masqueraded as typosquatted ClawHub clients, crypto tools, and trading bots.
Hardening OpenClaw: concrete steps you can take today
Security teams have converged on a practical hardening checklist for OpenClaw and similar self‑hosted AI agents.
1. Patch now – and rotate secrets
- Upgrade OpenClaw to at least version 2026.1.29 or the latest release.
- Rotate all secrets: gateway tokens, provider API keys (OpenAI, Anthropic), and chat integration credentials.
2. Keep the gateway off the public internet
The single biggest risk factor is direct public exposure.
- Bind the OpenClaw gateway to localhost only (127.0.0.1) wherever possible.
- If using a reverse proxy, ensure strict access controls and IP filtering.
3. Use Zero‑Trust tunnels instead of raw port‑forwarding
If you need remote access, use secure tunnelling instead of opening firewall ports.
Option A: Tailscale
Place the OpenClaw host on a Tailscale tailnet and expose its local gateway port only on the Tailscale interface. Use ACLs to restrict access to specific trusted devices.
Option B: Cloudflare Zero Trust
Run OpenClaw behind Cloudflare Tunnel with a Zero Trust access policy that requires strong authentication (like an email OTP or SSO) before ever reaching the OpenClaw interface.
4. Lock down file permissions
- Run the gateway under a dedicated, non‑privileged OS user.
- Set strict directory permissions (700) for the `~/.openclaw` configuration folder.
- Use sandboxing (containers, VMs) for browser automation tools.
Conclusion
There is real power in self‑hosted AI that can coordinate your digital life. But as with self-hosted VPNs, torrent clients or password managers, the security bar has to rise as quickly as the hype.
OpenClaw is forcing that conversation into the mainstream. The question for 2026 is whether its community – and self‑hosters more broadly – can turn this first major security shock into a better hardened, more trustworthy wave of DIY AI.
