Security experts have discovered tens of thousands of unsecured OpenClaw instances. The AI agents run vulnerable software versions and offer attackers access to systems. More than 12,000 instances are vulnerable to remote code execution.
Researchers at SecurityScorecard have exposed a major security problem for the rapidly growing OpenClaw. Through internet scans, the team identified 28,663 unique IP addresses with exposed OpenClaw control panels spread across 76 countries.
Of the identified instances, 12,812 are vulnerable to remote code execution (RCE). This means that attackers can take complete control of the host system. 549 exposed instances correlate with previous data breach activity. Another 1,493 are linked to known vulnerabilities.
Three critical CVEs with public exploit code
Three security advisories have been published against OpenClaw, all rated high in severity. CVE-2026-25253 scores 8.8 on the CVSS scale and concerns a 1-click remote code execution vulnerability. An attacker can create a malicious link that, when clicked, steals the authentication token and gives full control over the AI agent, even when the instance is running on localhost.
CVE-2026-25157 (CVSS 7.8) is an SSH command injection in the macOS app. A malicious project path can execute arbitrary commands. CVE-2026-24763 (CVSS 8.8) concerns a Docker sandbox escape via PATH manipulation. All vulnerabilities have been patched in version v2026.1.29 of January 29. However, the data show that most identified instances are running older versions.
The Belgian Center for Cybersecurity recently warned about these critical vulnerabilities in OpenClaw, emphasizing that the agent requires access to root files, authentication data, and all system files.
Default configuration increases risk
OpenClaw automatically uses the network binding 0.0.0.0:18789. This means that it listens on all network interfaces, including the public internet. For a tool with so much power, the default should be 127.0.0.1 (localhost only), according to SecurityScorecard. The result: more than 40,000 OpenClaw instances exposed to the internet.
The exposure grew in real time during the investigation. The initial title-based search found 24,034 instances. By the time the report was completed, this number had risen to 40,214 confirmed instances via favicon fingerprinting, of which 23,505 show active control panel interfaces. Forty-five percent of the instances run on Alibaba Cloud, with 37 percent in China.
When an attacker gains access to an OpenClaw instance, they get everything the agent can access. That includes the credentials directory (~/.openclaw/credentials/) with API keys, OAuth tokens, and service passwords. Full filesystem access to SSH keys, browser profiles, and password manager databases is also possible. Attackers can send messages on behalf of the victim on WhatsApp, Telegram, or Discord, take over authenticated browser sessions, or plunder crypto wallets.
Multiple sectors affected
The exposed instances are linked to organizations from various sectors. These include information services, technology, manufacturing, telecommunications, financial services, healthcare, government, education, and entertainment.
Moltbook, the social network for AI agents built on Moltbot technology, recently gained attention for its potential to enable collaborative agents. SecurityScorecard’s research now shows the downside of unsafe deployment of this technology.