Massive Exposure of OpenClaw AI Agents Leaves 40,000 Instances Vulnerable to Remote Takeover

Security researchers report continuous massive exposure of OpenClaw AI agents, with over 40,000 instances accessible via the public internet. These agents, formerly known as Moltbot and Clawdbot, often run with high-level system privileges, making them prime targets for exploitation. 

Current data indicates that approximately 15,200 of these instances are vulnerable to remote code execution (RCE), allowing attackers to take full control of the host systems. The exposure spans 82 countries, with a heavy concentration in major cloud hosting providers like Alibaba Cloud.

Vulnerabilities summary:

• CVE-2026-25253 (CVSS score 8.8) - A 1-click remote code execution vulnerability that allows attackers to steal authentication tokens. By tricking a user into clicking a malicious link, an attacker gains full control over the AI agent, even if it is running on a local network. This bypasses standard authentication by directly exfiltrating the session token.
• CVE-2026-24763 (CVSS score 8.8) - A sandbox escape vulnerability in the Docker environment caused by PATH manipulation. Attackers can manipulate environment variables to break out of the isolated container and execute code on the underlying host. This defeats the security boundaries intended to keep the AI agent's operations separate from the main operating system.
• CVE-2026-25157 (CVSS score 7.8) - An SSH command injection vulnerability affecting the OpenClaw macOS application. A maliciously crafted project path can be used to run arbitrary commands on the host system due to improper application input sanitization before passing it to SSH-related system calls.

A successful compromise grants attackers access to everything the AI agent can reach, effectively turning automation into an attack multiplier. Exposed data items include:

• API keys and OAuth tokens in ~/.openclaw/credentials/
• SSH keys and browser profiles
• Password manager databases and crypto wallets
• Authenticated sessions for WhatsApp, Telegram, and Discord

The primary cause of this widespread exposure is a default configuration that binds the application to 0.0.0.0:18789, making it listen on all network interfaces instead of just the local host. Research shows that 45% of these instances reside on Alibaba Cloud. Significant numbers of exposed instances are on Tencent Cloud and DigitalOcean. Many systems continue to run outdated versions under legacy branding that lack critical security fixes.

If users still use OpenClaw/Moldbot/Clawdbot, they should immediately update to OpenClaw version v2026.1.29 or later. Administrators should modify the configuration file to bind the gateway to 127.0.0.1 and use a VPN or Zero Trust tunnel for remote access. After patching, it is critical to rotate all API keys and tokens, as they should be considered compromised if the instance was previously exposed. Running AI agents under unprivileged service accounts instead of root is also very smart.