Securing Your Self-Hosted OpenClaw: Stop Being One of 135,000 Exposed Instances

Your OpenClaw Instance Might Be Wide Open Right Now

In February 2026, SecurityScorecard discovered over 135,000 OpenClaw instances publicly exposed on the internet across 82 countries. More than 15,000 were directly exploitable via a remote code execution vulnerability. Kaspersky called it "the biggest insider threat of 2026."

The root cause is surprisingly simple: older OpenClaw versions bind to 0.0.0.0:18789 by default, meaning the gateway listens on every network interface -- including your public IP. Without a gateway authentication token, anyone on the internet can connect, take control of your AI agent, and execute commands on your server.

This isn't theoretical. Infostealers are already targeting OpenClaw config files. Malicious skills on ClawHub have been used for credential exfiltration. And a vulnerability called ClawJacked (CVE-2026-25253) allowed any website to silently hijack a developer's agent through a simple WebSocket connection.

Here's how to lock your instance down properly.

Check If Your Instance Is Exposed

Before anything else, find out if your gateway is publicly accessible:

# From a different machine (or use your phone's data)
curl http://YOUR-SERVER-IP:18789/api/status

# Or scan with nmap
nmap -p 18789 YOUR-SERVER-IP

If you get a response instead of a connection timeout, your gateway is exposed. Fix it immediately.

You can also run OpenClaw's built-in security audit:

openclaw security audit

This checks gateway binding, authentication, debug flags, file permissions, and proxy configuration.

⚠️

If your instance is exposed: update to the latest version immediately, change your gateway auth token, enable firewall rules, and audit your installed skills. Assume your credentials may have been compromised.

Critical Vulnerabilities You Need to Know About

CVE-2026-25253: One-Click Remote Code Execution (CVSS 8.8)

An attacker could steal your authentication token through CSRF and execute arbitrary shell commands on your server. Patched in version 2026.1.29.

CVE-2026-32025: Authentication Bypass via Brute-Force (CVSS 7.5)

Attackers could bypass origin checks and brute-force passwords on loopback deployments. Patched in version 2026.2.25.

ClawJacked: Silent Agent Hijacking

Any website could open a WebSocket to localhost:18789, bypass origin validation, and gain full control of your agent. No plugins or user interaction required. Fixed within 24 hours, but you must be on version 2026.2.25 or later.

Malicious ClawHub Skills

Security researchers found over 1,100 malicious skills in the ClawHub marketplace disguised as crypto wallets, trading bots, and YouTube utilities. These skills can execute reverse shells, steal SSH keys, and exfiltrate credentials.

Bottom line: Update to version 2026.4.7 or later before doing anything else.

Step 1: Update to the Latest Version

# If installed via npm
npm update -g openclaw

# If using Docker
docker pull openclaw/openclaw:latest
docker-compose down && docker-compose up -d

# Verify version
openclaw --version

Target version 2026.4.7 or newer, which includes patches for all known CVEs.

Step 2: Configure Gateway Authentication

The gateway token is the master key to your OpenClaw instance. Without it, your gateway accepts any connection.

Set a Strong Token

Generate a secure token and configure it:

# Generate a strong random token
openclaw doctor --generate-gateway-token

Or set it manually in ~/.openclaw/openclaw.json:

{
  "gateway": {
    "auth": {
      "mode": "token",
      "token": "your-32-plus-character-random-string-here"
    }
  }
}

Or use an environment variable (preferred for Docker deployments):

OPENCLAW_GATEWAY_TOKEN=your-32-plus-character-random-string-here

💡

Recent versions moved the token from gateway.token to gateway.auth.token. If your token stopped working after an update, check that the config key matches your version.

Verify Token is Active

openclaw config get gateway.auth.token

Step 3: Bind to Localhost Only

The gateway should never listen on all interfaces. Restrict it to loopback:

In ~/.openclaw/openclaw.json:

{
  "gateway": {
    "mode": "local",
    "host": "127.0.0.1",
    "port": 18789
  }
}

Verify it's working correctly:

# This should show 127.0.0.1:18789, NOT 0.0.0.0:18789
netstat -tlnp | grep 18789

If you see 0.0.0.0:18789, the binding is wrong and your gateway is publicly accessible.

Step 4: Configure Your Firewall

Even with localhost binding, a proper firewall adds defense in depth:

# Reset to defaults
sudo ufw default deny incoming
sudo ufw default allow outgoing

# Allow SSH
sudo ufw allow 22/tcp

# Allow HTTP/HTTPS (for reverse proxy)
sudo ufw allow 80/tcp
sudo ufw allow 443/tcp

# Rate-limit SSH to prevent brute force
sudo ufw limit 22/tcp

# Enable the firewall
sudo ufw enable

# Verify rules
sudo ufw status verbose

Do NOT open port 18789. The gateway should only be accessible via localhost or a reverse proxy.

Docker Firewall Warning

Docker modifies iptables directly, bypassing UFW. If you're running OpenClaw in Docker with published ports, Docker's port mapping overrides your firewall rules. To prevent this:

# In /etc/docker/daemon.json
{
  "iptables": false
}

Or better: don't publish port 18789 in your Docker Compose. Use a Docker network and reverse proxy instead.

Hostinger

Hostinger VPS includes DDoS protection and full root access for firewall configuration. KVM 1 from $6.49/mo.

Visit Hostinger→

* Affiliate link — we may earn a commission at no extra cost to you.

Step 5: Set Up a Reverse Proxy for Remote Access

If you need to access OpenClaw from outside your server (e.g., from a mobile device), use a reverse proxy instead of exposing the gateway directly.

Nginx Configuration

server {
    listen 443 ssl http2;
    server_name openclaw.yourdomain.com;

    ssl_certificate /etc/letsencrypt/live/openclaw.yourdomain.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/openclaw.yourdomain.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:18789;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support (required for OpenClaw)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

Configure trusted proxies in OpenClaw to prevent auth bypass:

{
  "gateway": {
    "trustedProxies": ["127.0.0.1"]
  }
}

Without trustedProxies, all external requests appear to come from localhost, potentially bypassing authentication.

Even Better: Use Tailscale

For personal use, Tailscale is the simplest and most secure option. It creates a WireGuard VPN tunnel between your devices -- no port forwarding, no firewall holes, no reverse proxy needed:

# Install Tailscale on your VPS
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

# Expose OpenClaw only over Tailscale
sudo tailscale serve --bg https:18789 http://127.0.0.1:18789

Now access your OpenClaw instance via your Tailscale hostname from any device on your network.

Step 6: Lock Down File Permissions

Your OpenClaw config file contains your gateway token and potentially API keys. Restrict access:

chmod 600 ~/.openclaw/openclaw.json
chmod 700 ~/.openclaw/

Never store API keys in plaintext config files. Use environment variables instead:

# In your .env or docker-compose.yml
ANTHROPIC_API_KEY=sk-ant-...
OPENCLAW_GATEWAY_TOKEN=your-token-here

Step 7: Audit Your Installed Skills

ClawHub has had over 1,100 malicious skills identified. Check what's installed:

openclaw skills list

For each installed skill:

Verify the publisher's identity and account age (new accounts are high risk)
Review the skill's source code before installation
Remove anything you don't actively use
Never install skills that request shell access, SSH keys, or cryptocurrency wallet access without very good reason

✅

Treat ClawHub skills like npm packages -- assume any third-party code could be malicious until proven otherwise. Review source code, check the publisher, and use the minimum set of skills you actually need.

Step 8: Run OpenClaw as a Non-Root User

Never run OpenClaw as root. Create a dedicated user:

sudo useradd -m -s /bin/bash openclaw
sudo su - openclaw
# Install and configure OpenClaw as this user

For Docker, ensure the container runs as non-root:

services:
  openclaw:
    image: openclaw/openclaw:latest
    user: "1000:1000"
    security_opt:
      - no-new-privileges:true
    read_only: true
    tmpfs:
      - /tmp

Security Checklist

Run through this checklist for every OpenClaw VPS deployment:

VPS Providers With Built-In Security Features

Some VPS providers make security easier out of the box:

Provider	Security Features	Starting Price
DigitalOcean	Cloud firewalls, VPC, monitoring	$6/mo
Hostinger	DDoS protection, weekly backups	$6.49/mo
Vultr	DDoS protection, firewall rules, private networking	$5/mo
Contabo	DDoS protection, snapshots	$4.50/mo

DigitalOcean's cloud firewalls are particularly useful -- you can block port 18789 at the infrastructure level, before traffic even reaches your VPS.

DigitalOcean

DigitalOcean's cloud firewalls let you block ports at the infrastructure level. Perfect for locking down OpenClaw. Droplets from $6/mo.

Visit DigitalOcean→

* Affiliate link — we may earn a commission at no extra cost to you.

Conclusion

Securing OpenClaw isn't optional -- it's urgent. The combination of default-open configurations, rapid adoption, and active exploitation makes unsecured instances a serious risk. The good news is that the fixes are straightforward: update, set a token, bind to localhost, enable a firewall, and use a reverse proxy or VPN for remote access.

Take 30 minutes to run through the checklist above. It's the difference between a secure personal AI agent and an open door to your server.