Remote OpenClaw Blog
Is Your OpenClaw Exposed? How to Check and Lock It Down
6 min read ·
Remote OpenClaw Blog
6 min read ·
In March 2026, internet scanning platform Censys identified over 135,000 OpenClaw instances exposed on the public internet. These instances had their gateway API (port 18789) open to any IP address on the internet, with no authentication required.
The exposed instances span 82 countries, with the highest concentrations in the United States (31,400), Germany (18,200), and China (14,800). Most are running on cloud VPS providers like DigitalOcean, Hetzner, and AWS Lightsail where default firewall rules allow all inbound traffic.
An exposed OpenClaw instance is not just a theoretical risk. With the gateway API open, an attacker can send commands to your agent, read your conversation history, extract your API keys, and execute arbitrary code on your server. This is the equivalent of leaving your server's SSH port open with no password.
Between March 8 and March 12, 2026, 9 CVEs were disclosed against OpenClaw in just 4 days. Two of them are critical:
This vulnerability allows unauthenticated remote code execution through the OpenClaw gateway API. An attacker who can reach port 18789 can send a specially crafted request that executes arbitrary commands on the host machine with the same privileges as the OpenClaw process.
The vulnerability was disclosed via the National Vulnerability Database and affects all OpenClaw versions prior to 2026.3.2. It is patched in version 2026.3.2 and later.
This vulnerability enables prompt injection attacks to execute system commands through OpenClaw's unrestricted tool access. An attacker who can send messages to your agent (through Telegram, WhatsApp, or any connected channel) can craft prompts that trick the agent into running arbitrary tools.
This CVE is the direct reason OpenClaw 2026.3.2 disabled tools by default. It is patched by the new tool permission system, but only if you update and do not blindly re-enable all tools with tools.enabled true.
The full list of 9 CVEs is tracked in the OpenClaw GitHub security advisories. All are patched in version 2026.3.2+.
Run these checks from a machine that is not on the same network as your OpenClaw server. Use your phone's mobile data or a separate VPS:
# Check if the gateway port is open from the internet
nmap -p 18789 your-server-ip
# Expected SAFE output:
# PORT STATE SERVICE
# 18789/tcp filtered unknown
# EXPOSED output (fix immediately):
# PORT STATE SERVICE
# 18789/tcp open unknownSearch for your server's IP address on search.censys.io. If it appears in results with port 18789 open, your instance is indexed and visible to automated scanners worldwide.
Use the Remote OpenClaw Security Checker tool, which tests for open ports, missing authentication, outdated versions, and known CVE exposure in a single scan.
Block all inbound traffic to port 18789 from the public internet. Only allow connections from trusted IP addresses or your Tailscale network:
# UFW (Ubuntu/Debian)
sudo ufw deny 18789
sudo ufw allow from 100.64.0.0/10 to any port 18789 # Tailscale range
# iptables
sudo iptables -A INPUT -p tcp --dport 18789 -j DROP
sudo iptables -A INPUT -p tcp -s 100.64.0.0/10 --dport 18789 -j ACCEPT
# Also block the Control UI port if exposed
sudo ufw deny 3000
sudo ufw allow from 100.64.0.0/10 to any port 3000After applying firewall rules, re-run the nmap scan from an external machine to confirm port 18789 now shows as filtered or closed.
Tailscale creates a private mesh network between your devices. Once configured, your OpenClaw instance is only accessible through the Tailscale network — it has no public IP exposure at all.
# Install Tailscale on your OpenClaw server
curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up
# Configure OpenClaw to listen only on Tailscale IP
openclaw config set gateway.bindAddress 100.x.x.x # Your Tailscale IP
openclaw config set controlUI.bindAddress 100.x.x.x
# Restart to apply
sudo systemctl restart openclawWith Tailscale configured, you access your OpenClaw Control UI at http://100.x.x.x:3000 instead of the public IP. The gateway API is similarly restricted to Tailscale-only access.
Marketplace
Free skills and AI personas for OpenClaw — browse the marketplace.
Browse the Marketplace →For the full Tailscale setup walkthrough, see OpenClaw Tailscale Remote Access.
Even behind Tailscale, add authentication to the gateway API as a defense-in-depth measure:
# Generate a strong API key
openssl rand -hex 32
# Set the gateway authentication key
openclaw config set gateway.authToken "your-generated-key-here"
# Enable authentication requirement
openclaw config set gateway.requireAuth trueAfter enabling auth, all API requests to the gateway must include the authentication token in the header. Unauthenticated requests receive a 401 response. This protects against scenarios where Tailscale is misconfigured or a device on your Tailscale network is compromised.
As covered in detail in OpenClaw Tools Disabled After Update: How to Fix It, version 2026.3.2 introduced granular tool permissions. Enable only the tool categories your agent needs:
# Enable only necessary tool categories
openclaw config set tools.allow messaging,calendar,email
# Do NOT use tools.enabled true unless you have a specific reason
# to grant unrestricted tool accessRestrict filesystem access unless your agent specifically needs to read or write files. Restrict web access unless your agent needs to make HTTP requests. Each enabled category expands the potential blast radius of a compromised agent.
ClawHub is the community skill repository for OpenClaw, similar to npm for Node.js or PyPI for Python. In March 2026, security researchers identified multiple malicious skills on ClawHub that appeared legitimate but contained hidden payloads.
The malicious skills used techniques like data exfiltration (silently sending conversation history to external servers), credential harvesting (extracting API keys from the agent's environment), and cryptomining (using your server's CPU for cryptocurrency mining).
Before installing any skill from ClawHub:
actions blockFor the complete security hardening process, see the OpenClaw 3-Tier Security Hardening Guide.
Run nmap -p 18789 your-server-ip from an external machine. If port 18789 shows as "open," your OpenClaw gateway is publicly accessible. You can also search for your server IP on Censys to see if it appears in their scan results. The Remote OpenClaw security checker tool automates this process.
CVE-2026-32922 (CVSS 9.9) allows unauthenticated remote code execution through the gateway API. CVE-2026-25253 (CVSS 8.8) enables prompt injection to execute system commands. Both are patched in OpenClaw 2026.3.2 and later. Update immediately if you are running an older version.
Tailscale eliminates public internet exposure, which addresses the most common attack vector. However, it does not protect against prompt injection, malicious skills from ClawHub, or compromised API keys. A complete security setup combines Tailscale networking with gateway authentication, execution approval controls, and tool permission restrictions.