Immediate Steps to Secure an Exposed Gateway
If your gateway is exposed: 1) Immediately set gateway.bind to loopback in your config. 2) Restart the gateway. 3) Rotate your gateway auth token. 4) Rotate all API keys that may have been exposed.
Post-Exposure Security Audit
5) Check gateway logs for unauthorized access. 6) Enable Docker sandboxing. 7) Set up firewall rules. 8) Run openclaw doctor to identify additional issues.
Gateway Port Security Best Practices
Never expose port 18789 publicly.
Understanding the CVE and Exposure Risk
CVE-2026-25253 revealed that OpenClaw's default gateway configuration binds to 0.0.0.0 (all interfaces), making it accessible from any network. Attackers exploiting this vulnerability gained remote code execution capabilities, allowing them to read your configuration files (including API keys), send messages through your connected accounts, access integrated services like Gmail and Google Calendar, and potentially pivot to other systems on your network. Security researchers identified over 30,000 publicly exposed OpenClaw instances using internet scanning tools like Shodan and Censys.
How to Detect If You Were Compromised
Review your gateway logs (typically at .openclaw/logs/gateway.log) for any requests originating from IP addresses you do not recognize. Check your LLM API provider dashboard for unusual usage spikes that could indicate someone was using your API keys. Review your Gmail sent folder and WhatsApp message history for communications you did not initiate. If you use cloud hosting, check your provider's network traffic logs for connections to port 18789 from external IPs. Any evidence of unauthorized access means you should treat all connected credentials as compromised.
Complete Remediation Steps
After binding the gateway to 127.0.0.1 and restarting, rotate every credential that was stored in or accessible through your OpenClaw configuration: LLM API keys, OAuth tokens for Gmail and calendar, WhatsApp session tokens, and the gateway authentication token itself. Revoke and re-authorize all OAuth connections to ensure old tokens are invalidated. Set up UFW or iptables rules to block all inbound traffic to port 18789, enable Docker sandboxing to limit what the agent process can access, and consider placing the gateway behind a reverse proxy like Caddy or nginx with TLS and HTTP basic auth for an additional security layer.
Need help with this?
Our team handles OpenClaw setup, security hardening, and troubleshooting professionally. Book a setup call →
Related: Security guide · Security hardening service · Is OpenClaw safe?