What Happened
OpenClaw went from niche AI framework to the most-starred GitHub repo in history in under two weeks. That growth brought millions of new deployments — most of them by people following quickstart guides that prioritized getting things running, not getting them locked down.
The scale of exposure is staggering. Security researchers scanning the internet found over 135,000 OpenClaw instances reachable from the public internet with no authentication. Over 42,000 of those had fully exposed control panels, granting anyone who found them complete access to the bot, its credentials, and the host machine.
Then the CVEs started dropping.
Three Critical CVEs in One Month
CVE-2026-25253: One-Click Remote Code Execution (CVSS 8.8)
The most severe. An attacker can achieve remote code execution on any exposed OpenClaw instance with a single crafted request targeting the skill execution pipeline. No authentication required if the gateway port is exposed (which, on 135,000+ instances, it is). Public proof-of-concept code is available. This was the vulnerability that prompted security researchers to call OpenClaw a "security nightmare."
CVE-2026-24763: Docker Sandbox Escape (CVSS 8.8)
Even users who thought they were protected by running OpenClaw in Docker weren't safe. This vulnerability allows an attacker to escape the Docker container and access the host machine's filesystem, network, and other containers. For shared hosting providers running multiple tenants on one machine, this means a compromise of one bot could expose every bot on the same host.
CVE-2026-25157: SSH Command Injection (CWE-78)
An unauthenticated SSH command injection vulnerability in the gateway. No login required. Public exploit code available. If your OpenClaw instance is reachable over SSH (which most VPS setups enable by default), an attacker can execute arbitrary commands on your server.
The Prompt Injection Zero-Day
On top of the CVEs, security researcher Marc Kohlbrugge published a full disclosure of a prompt injection zero-day in OpenClaw group chats. The attack exploited chat history spoofing to achieve admin privilege escalation, modification of the bot's personality file (SOUL.md), SSH key injection into the host, and cross-chat message access between different conversations. The vulnerability has been patched, but it illustrates how the entire stack — from the AI layer to the infrastructure layer — is an attack surface.
The Real-World Impact
These aren't theoretical risks. Users are already reporting real incidents. Bots responding in unexpected languages. API keys drained for hundreds of dollars overnight. Credentials exposed in public repositories.
One security researcher built a live scanning tool that checks for newly exposed instances every 15 minutes, discovering fresh targets continuously. The sheer volume of vulnerable deployments means automated exploitation is not just possible but economically attractive.
Why Self-Hosting Is Riskier Than You Think
The core issue isn't that OpenClaw has bugs. All software does. The issue is that self-hosting OpenClaw requires getting security right across multiple layers simultaneously, and most users don't.
- Firewall configuration: Most quickstart guides don't mention firewall rules. The gateway port (typically 3000 or 18789) listens on all interfaces by default.
- Credential management: Bot tokens and API keys sit in plaintext
.envfiles. Over 1.5 million API keys were leaked on GitHub this year from similar setups. - Update discipline: When CVE-2026-25253 dropped, the fix required SSHing in, pulling the latest code, running migrations, and restarting. Many instances still haven't been patched.
- Docker isn't a security boundary: CVE-2026-24763 proved that Docker containers are not sufficient isolation against a motivated attacker.
- Shared hosting is worse: VPS-based hosting providers run multiple bots on the same machine. A sandbox escape on one tenant compromises all tenants.
What Secure Hosting Actually Looks Like
If you're going to trust a service with your bot token, API keys, and an always-on AI agent, the hosting architecture needs to handle security at every layer. Not "we take security seriously" on a marketing page. Actual, verifiable architectural decisions.
| Security Layer | Self-Hosted VPS | Shared VPS Hosts | ClawFast |
|---|---|---|---|
| Isolation model | None (single tenant) | Shared OS / Docker | Per-tenant Cloudflare Container |
| Credential storage | Plaintext .env file | Plaintext .env file | AES-GCM encrypted, per-tenant salt |
| Network exposure | Open ports, public IP | Shared IP, open ports | No exposed ports, Cloudflare edge |
| DDoS protection | None unless you add it | Basic or none | Cloudflare (protects ~20% of the web) |
| CVE patching | Manual SSH + restart | Depends on provider | Automatic, same-day |
| API cost protection | None | None or eventual | Atomic rate limiting (Durable Objects) |
| Sandbox escape risk | N/A | CVE-2026-24763 applies | CF Container isolation (not Docker) |
What You Should Do Right Now
Whether you self-host or use a managed service, take these steps today.
- Check if your instance is exposed. Run a port scan against your server's public IP. If port 3000, 18789, or your SSH port is reachable without authentication, you're vulnerable to every CVE listed above.
- Patch immediately. Update to OpenClaw v2026.2.9 or later, which addresses CVE-2026-25253, CVE-2026-24763, and CVE-2026-25157. Don't wait.
- Rotate all credentials. If your instance has been publicly reachable at any point, assume your bot token and API keys are compromised. Revoke them via @BotFather and your API provider's dashboard. Create new ones.
- Set API spending limits. Anthropic, OpenAI, and other providers let you configure monthly caps. Set one. A $50 cap won't stop an attack but it stops a $5,000 bill.
- Add firewall rules. Restrict your gateway port to Telegram's IP ranges only. Block SSH from the public internet (use a VPN or SSH key-only access with fail2ban).
- Review installed skills. The skill system executes arbitrary code. Audit every third-party skill against its source. Remove anything you didn't install yourself.
The Bottom Line
February 2026 proved that self-hosted OpenClaw has a real and growing attack surface. 135,000+ exposed instances, three critical CVEs, a prompt injection zero-day, and users reporting active exploitation. The fix isn't better quickstart guides — it's hosting architecture that makes these classes of vulnerabilities impossible by design. No exposed ports. No shared machines. No plaintext credentials. No manual patching. That's what ClawFast was built for.
Your AI agent deserves better security
Per-tenant container isolation. AES-GCM encrypted credentials. Cloudflare edge protection. Automatic patching. No servers to manage.
Get StartedRelated reading: ClawFast Security · Is OpenClaw Safe? · Self-hosting vs managed · What does OpenClaw cost?