Recent findings have highlighted a significant security breach impacting 15,200 OpenClaw control panels, with full system access available to potential attackers. This revelation underscores a serious vulnerability in the expanding ‘agentic AI’ domain, revealing how personal and corporate AI assistants have been left unprotected on the public internet.
The Scope of the Exposure
The SecurityScorecard STRIKE Threat Intelligence Team has identified that these OpenClaw instances are open to Remote Code Execution (RCE) attacks, potentially allowing complete control over host machines. A survey by STRIKE found 42,900 unique IP addresses with exposed OpenClaw panels across 82 countries, with many being personal computers or cloud-hosted AI agents unintentionally made accessible due to default settings.
The core issue arises from OpenClaw’s default network configuration, which utilizes 0.0.0.0:18789, listening on all network interfaces, rather than the more secure 127.0.0.1. This misconfiguration effectively broadcasts the control panels globally, making them vulnerable to exploitation.
Identified Vulnerabilities
Several severe vulnerabilities have been identified in older versions of OpenClaw, exacerbating the issue. These include CVE-2026-25253, a ‘1-click’ RCE flaw with a CVSS score of 8.8, allowing attackers to gain control via malicious links. Additionally, CVE-2026-25157 presents an SSH command injection vulnerability, and CVE-2026-24763, a Docker sandbox escape, poses significant threats.
Despite the release of patches in version 2026.1.29, a staggering 78% of exposed instances continue to operate on outdated versions, known as ‘Clawdbot’ or ‘Moltbot’, leaving them susceptible to these risks. The potential damage is amplified given that AI agents manage sensitive tasks, such as accessing emails and executing code.
Immediate Mitigation Measures
To combat these vulnerabilities, users are urged to update to version 2026.2.1 or later, which addresses the identified RCE issues. Key defensive steps include ensuring the software binds to localhost by setting the configuration to gateway.bind: “127.0.0.1”, rotating all stored credentials, and utilizing secure tunnels like Tailscale or Cloudflare Tunnel for remote access.
Security teams are advised to block port 18789 and monitor for unusual command-and-control traffic from internal machines. The STRIKE team also provides a ‘Declawed’ dashboard for real-time updates on vulnerable instances, allowing users to track remediation efforts.
The prevalence of advanced persistent threats (APTs), such as Kimsuky and APT28, near these exposed systems highlights the critical need for swift action. Approximately 33.8% of the exposed infrastructure is linked to known threat activities, emphasizing the urgency of securing OpenClaw deployments against potential exploitation.
