ClawReady
Security Critical CVE

SecurityScorecard: 28,000+ OpenClaw Instances Exposed Online — 63% Vulnerable to Remote Code Execution

A new SecurityScorecard report published today paints a stark picture of how OpenClaw is being deployed in the wild — and how badly many of those deployments are misconfigured.

Key findings:

The headline from SecurityScorecard's researchers: "The math is simple: when you give an AI agent full access to your computer, you give that same access to anyone who can compromise it."

What's Going Wrong

The report isn't an indictment of OpenClaw itself — it's an indictment of how people are deploying it. The pattern SecurityScorecard identified:

Jeremy Turner, VP of Threat Intelligence at SecurityScorecard, noted: "For the folks that want to use the more agentic AI systems, you really need to take careful consideration in what integrations you support and what permissions you actually give."

The research also flagged that many users configure their agents with personal and company names — making it trivial for attackers to identify high-value targets among the exposed instances.

The Three CVEs

The report references three high-severity CVEs affecting OpenClaw deployments, CVSS 7.8–8.8, all with public exploit code. One of these is CVE-2026-41296 (CVSS 8.2, sandbox escape via TOCTOU race), which we covered when it was published in April. The others target gateway exposure patterns.

If you're running any version of OpenClaw older than 2026.3.31, you are vulnerable to at least CVE-2026-41296 and should patch immediately.

Is Your Setup Exposed?

Quick self-check:

  1. Is your gateway port accessible from the internet? Run curl -s https://api.ipify.org to get your public IP, then try curl http://[YOUR_IP]:18789 from a different network. If you get a response, you're exposed.
  2. Are you on a patched version? Run openclaw --version — you want 2026.4.21 or later.
  3. Is your gateway behind auth? Run openclaw doctor and check the gateway security section.
  4. Are your agent permissions scoped? Review your SOUL.md and AGENTS.md for overly broad tool grants.

How to Lock Down Your Deployment

1. Never expose the gateway directly

Put your gateway behind a reverse proxy (Nginx, Caddy, Cloudflare Tunnel) with authentication. The gateway should never be on a public IP without an auth layer in front of it.

2. Use Cloudflare Tunnel for remote access

# Free, no open inbound ports required
cloudflared tunnel create openclaw
cloudflared tunnel route dns openclaw your-domain.com

3. Scope agent permissions explicitly

In SOUL.md, add explicit boundaries for what your agent can and cannot do. Don't grant filesystem, email, or calendar access unless the agent specifically needs it.

4. Keep OpenClaw updated

openclaw update
openclaw doctor

Run this weekly. Three CVEs with public exploits available means attackers are actively scanning and exploiting unpatched instances.

5. Firewall your gateway port

# Block external access to gateway port
sudo ufw deny 18789
sudo ufw allow from 127.0.0.1 to any port 18789

The Bottom Line

OpenClaw is not inherently insecure — but a misconfigured OpenClaw instance is a very high-value target. You're giving an AI agent broad access to your systems; if that agent is reachable by anyone on the internet, you've handed that access to every threat actor scanning cloud IP ranges.

28,000+ exposed instances tells us the ecosystem has a serious deployment quality problem. Most of those setups were done by people following incomplete instructions or copying config from tutorials that didn't cover security.

If you're not certain your setup is hardened — it probably isn't.

Get a Security Audit → $49, 48-Hour Turnaround