Clawdbot, the surging open-source AI agent gateway, faces escalating safety issues, with 900+ unauthenticated situations uncovered on-line and a number of code flaws that allow credential theft and distant code execution.
Clawdbot is an open-source private AI assistant that integrates with messaging platforms like WhatsApp, Telegram, Slack, Discord, Sign, and iMessage.
It contains a Gateway for management airplane operations, together with WebSocket dealing with, software execution, and credential administration, and a web-based Management UI for configuration, dialog historical past, and API key administration.
Deployed by way of npm on Node.js ≥22, it defaults to loopback binding on port 18789 however helps distant entry by way of Tailscale or reverse proxies like nginx/Caddy.
Safety researcher Jamieson O’Reilly detailed the difficulty in a January 23, 2026, X thread, highlighting misconfigurations on this well-liked open-source AI agent gateway.
O’Reilly used Shodan to question for the Management UI’s distinctive HTML title tag, “Clawdbot Management,” and located lots of of public situations shortly after deployment.
Companies like Shodan and Censys index HTTP fingerprints, equivalent to favicons or particular phrases, enabling fast discovery. Comparable scans revealed over 900+ uncovered Gateways on port 18789, a lot of which had been unauthenticated.
Shodan Outcomes
Whereas some had authentication, others left configs, Anthropic API keys, Telegram/Slack tokens, and months of chat histories totally accessible.
Clawdbot Config Publicity
The difficulty stems from localhost auto-approval in Clawdbot’s auth logic, designed for native dev however exploitable behind reverse proxies. Proxies ahead visitors by way of 127.0.0.1, bypassing checks since gateway.trustedProxies defaults to empty, ignoring X-Forwarded-For headers.
O’Reilly confirmed by way of supply code: socket addresses seem native, granting auto-access to WebSockets and UI. A GitHub challenge notes this for Management UI publicity. O’Reilly submitted a hardening PR; docs now suggest setting trustedProxies: [“127.0.0.1”] and proxy-overwriting headers to stop spoofing.
Assault Impacts
Uncovered servers allow extreme compromise. Learn entry dumps credentials (API keys, OAuth secrets and techniques) and full histories with attachments. Attackers inherit agent company: sending messages, executing instruments, or manipulating perceptions by filtering responses.
Entry TypeCompromised AssetsExploitation ExamplesConfiguration Learn API keys, bot tokens, signing secretsCredential theft for Anthropic, Telegram, SlackConversation Historical past Non-public messages, filesExfiltrate months of dataCommand ExecutionRoot shell accessPair the the attacker’s telephone for full accessSignal IntegrationDevice linking URIsPair the attacker’s telephone for full entry
Some ran as root containers, permitting arbitrary host instructions with out auth.
Clawdbot docs urge clawdbot safety audit –deep to flag exposures, tightening DM/group insurance policies and perms. For proxies, allow gateway.auth.mode: “password” by way of CLAWDBOT_GATEWAY_PASSWORD and trusted proxies. Rotate secrets and techniques post-exposure: auth tokens, mannequin keys, channel creds.
Use Tailscale Serve/Funnel or Cloudflare Tunnels as a substitute of direct binds. Newest launch (2026.1.14-1, Jan 15) predates reviews; run clawdbot physician for migrations.
Customers ought to audit exposures instantly, as AI brokers think about high-value belongings, demanding proxy hardening and least-privilege defaults.
Observe us on Google Information, LinkedIn, and X for day by day cybersecurity updates. Contact us to function your tales.
