Why 30,000 OpenClaw Instances Were Publicly Exposed in 2026

In early 2026, security researchers discovered that more than 30,000 OpenClaw instances were reachable from the public internet with no authentication whatsoever. The root cause was CVE-2026-25253 combined with the fact that most users never changed the default gateway configuration. The result was full remote code execution on thousands of machines running personal AI agents loaded with API keys, email access, and calendar data.

What Is CVE-2026-25253?

CVE-2026-25253 is a critical vulnerability in the OpenClaw gateway daemon. When OpenClaw starts for the first time, it binds its REST API to 0.0.0.0:3000 by default rather than 127.0.0.1. That single configuration choice means the gateway is reachable from any network interface, including the public internet on VPS and cloud deployments. Combined with the absence of authentication on the default API routes, anyone who found the open port could send commands directly to the agent, read conversation history, and execute arbitrary shell commands through the built-in tool system.

Why Default Configurations Are Dangerous

OpenClaw ships with developer-friendly defaults that prioritize ease of setup over security. This is a common pattern in open-source software, but it becomes critical when the software has direct access to your email, calendar, files, and API keys. Most self-hosted users follow the quick-start guide, confirm the agent is responding, and stop there. They never restrict the bind address, add firewall rules, or enable authentication. Our OpenClaw security guide covers why this gap exists and how to close it.

How Gateway Exposure Happens

The typical exposure path looks like this. A user spins up a VPS on DigitalOcean, Hetzner, or AWS. They install OpenClaw following the readme, which does not mention firewall configuration. The gateway binds to all interfaces. The cloud provider's default security group allows inbound traffic on all ports, or the user opens port 3000 for testing and forgets to close it. Within minutes, automated scanners find the open gateway. This is exactly the scenario described in our gateway exposure guide. The OWASP Foundation classifies this pattern under Security Misconfiguration, consistently one of the top ten web application risks.

The 9-Step Hardening Process

Every deployment we deliver at iClaudebot includes a 9-step security hardening process specifically designed to prevent this class of exposure. The steps include binding the gateway to localhost only, configuring UFW or iptables firewall rules, enabling Docker network isolation, setting up OAuth middleware through Composio, restricting the exec allowlist so the agent cannot run arbitrary commands, enabling audit logging, rotating all credentials, configuring automated health checks, and performing a final penetration test against the exposed surface. Our security checklist provides the complete step-by-step procedure.

What to Do If You Are Already Exposed

If you are running OpenClaw on a VPS or any internet-connected machine and you have not explicitly hardened it, assume it has been accessed. Start by restricting the gateway bind address to 127.0.0.1 in your gateway.config.json and restarting the service. Then immediately rotate every API key, OAuth token, and credential the agent had access to. Check the audit logs if they exist, or review your shell history for commands you did not issue. After containment, follow the full hardening process or reach out to us for a professional security hardening engagement.

The Bigger Picture

AI agents are not chatbots. They have real access to real systems. An exposed OpenClaw instance is not just an information leak; it is full remote access to your digital life or business. The 30,000 exposed instances in 2026 are a wake-up call for anyone self-hosting AI infrastructure. Security is not optional, and default configurations are not production-ready.

Related: Security hardening service · Security guide · Security checklist · Gateway exposed