42,000 OpenClaw Instances Exposed to the Internet: Is Yours One?

ByL.B. Kaelin

Forty-two thousand OpenClaw instances are sitting on the open internet right now with no authentication protecting them. That is not a theoretical vulnerability scan. That is the real count from Shodan and Censys data surfaced by security researchers in April 2026, corroborated by TechRadar reporting and internal Scout intelligence. If you run an OpenClaw gateway on any public-facing server, there is a better-than-even chance it is one of them.

This article tells you exactly how to check whether your instance is exposed, what an attacker can do if they find it, and how to lock it down in under ten minutes. It also covers the two security campaigns currently exploiting these exposures: the CVE-driven attack surface and the trojan horse agent campaign that has already compromised an estimated 28,000 instances.

How OpenClaw Instances End Up Exposed

OpenClaw is open-source software. That means thousands of people install it on their own servers, and the default configuration is designed for local development, not production deployment. When a developer installs OpenClaw and does not change the defaults, the gateway binds to all network interfaces and listens for connections. If that server has a public IP, the instance is on the internet.

Security researchers have identified four specific misconfigurations that account for the vast majority of the 42,000 exposed instances:

1. Port 3000 open to the internet without firewall rules. OpenClaw’s default port is 3000. Many cloud providers open all ports by default. Developers who open only what they need often forget that port 3000 is not a standard web port like 80 or 443, so it does not get included in their regular firewall audit. A simple iptables -A INPUT -p tcp --dport 3000 -j DROP at the server level would fix this, but most exposed instances never got it.

2. gateway.bind set to 0.0.0.0 instead of 127.0.0.1. The gateway.bind configuration option controls which network interface the gateway listens on. The default during installation prompts is sometimes 0.0.0.0, which means “listen on every interface.” Changing it to 127.0.0.1 restricts access to the local machine only. When combined with a reverse proxy on the same host, this is the correct production configuration. Many installation guides skip this distinction.

3. No reverse proxy with authentication. Even when an instance is behind a reverse proxy, some operators never add authentication at the proxy layer. A reverse proxy like nginx or Caddy can require HTTP basic auth, OAuth, or a client certificate before any traffic reaches the OpenClaw gateway. Without that, anyone who finds the proxy can reach the gateway directly.

4. Default credentials not changed. OpenClaw’s setup process creates a default admin credential set. Many users never change it. Automated scanning tools routinely attempt default credentials against every OpenClaw instance they discover. The combination of a discoverable instance and unchanged defaults is the attack equivalent of leaving your front door unlocked with the key in it.

These four misconfigurations are not sophisticated. They are the basic building blocks of server security that every system administrator should know. And they are the reasons 42,000 instances are exposed right now.

What an Attacker Can Do With an Exposed Instance

An exposed OpenClaw instance is not just a chatbot that can be made to say embarrassing things. OpenClaw agents have access to tools. Those tools include API keys. Those API keys unlock systems. The blast radius of a compromised instance is the blast radius of every credential stored in its configuration.

Here is what an attacker gains access to when they compromise an OpenClaw instance:

All connected channels. OpenClaw connects to Slack, Telegram, email, and other messaging platforms. An attacker can read every message that flows through those channels. They can post as the agent. They can trick users into trusting the agent while it carries out malicious actions behind the scenes.

All workspace files. The OpenClaw workspace typically contains configuration files, scripts, logs, and sometimes sensitive documents. An attacker can exfiltrate everything. They can modify files to inject backdoors that persist after the gateway is patched.

All agent tools. Each OpenClaw agent exposes tools: file readers, code executors, web fetchers, database connectors. An attacker who controls the gateway controls every tool every agent can run. They can read your database. They can execute commands on your server. They can use the web fetch tool to pivot into your internal network.

All API keys stored in configuration. This is the critical one. OpenClaw stores API keys for the language models it uses, for external services it connects to, and for any plugins or skills installed. A single compromised instance can leak keys for OpenAI, Anthropic, Google Cloud, AWS, Slack, Telegram, and any number of custom integrations. Those keys can be used for fraud, data theft, or direct financial loss.

Persistence and lateral movement. A determined attacker does not stop at the gateway. They use the compromised instance as a beachhead to probe the internal network. If the OpenClaw server has access to internal services, those services are now reachable from the attacker’s position. The exposed gateway becomes a VPN into your private infrastructure, and you never authorized it.

The severity cannot be overstated. An OpenClaw agent is designed to be powerful. It is designed to access systems and take actions. When that power is turned against its operator, the compromise is total.

How to Check If Your Instance Is Exposed

You can check whether your OpenClaw instance is exposed in under thirty seconds. From a machine outside your network (a phone on cellular data, a friend’s laptop, a cloud shell), run this command:

curl -s http://YOUR-SERVER-IP:3000/api/status

If you get a JSON response with fields like version, uptime, plugins, and channels, your instance is exposed. A properly secured instance behind a reverse proxy or bound to localhost will either refuse the connection or return a gatekeeper error.

Shodan check. Shodan indexes exposed services, including OpenClaw instances. Search for "OpenClaw" port:3000 on Shodan.io or search for your server’s IP address directly. If your IP appears in the results, your instance has been scanned and recorded. Assume it has also been targeted.

Check your configuration. On the server running OpenClaw, open your configuration file (typically .openclaw/config.yaml or openclaw.json) and look for the bind address. If it says "bind": "0.0.0.0" or gateway.bind: 0.0.0.0, your instance is listening on every interface, including the public one, unless a firewall is blocking it externally. A value of 127.0.0.1 is what you want.

Check your firewall. Run ss -tlnp | grep 3000 to see what interfaces are listening. If the output shows 0.0.0.0:3000, the gateway is listening everywhere. If it shows 127.0.0.1:3000, only local connections are accepted. Then check your cloud provider’s security group or firewall rules for port 3000 inbound from 0.0.0.0/0. If you see that rule, delete it immediately.

Do not skip these checks. The data shows that most operators who think their instance is secured are wrong. 42,000 exposures does not happen because everyone knows they are exposed. It happens because most people do not know.

The CVEs Making This Worse

The exposure problem is compounded by a series of CVEs published in 2026 that specifically affect OpenClaw gateway configurations. These vulnerabilities make exposed instances even more dangerous because they allow attackers to escalate from “network access” to “full compromise” without needing valid credentials.

CVE-2026-41295 (CVSS 8.7 – High) — Trust boundary workspace channel shadow. This vulnerability allows an attacker with network access to create a shadow workspace channel that bypasses OpenClaw’s sandboxing. The attacker can inject messages that appear to come from trusted internal sources, tricking both the agent and human operators into taking actions they would otherwise not take. This CVE is particularly dangerous because it subverts the trust model that OpenClaw operators rely on.

CVE-2026-41296 through 41302 (CVSS range 7.4 – 9.1) — A batch of seven vulnerabilities published together. They include server-side request forgery (SSRF) allowing an attacker to probe internal networks through the gateway, authentication bypass mechanisms that let an attacker escalate from unauthenticated to admin, TOC/TOU (time of check, time of use) race conditions in session handling, and several other attack vectors. The SSRF vulnerability alone is critical because it lets an attacker use the exposed gateway as a proxy to scan and attack internal services that should not be reachable from the internet.

CVE-2026-41342 (CVSS 9.3 – Critical) — Remote onboarding authentication bypass. This is the most severe of the batch. It allows an attacker to bypass the onboarding authentication flow entirely and register themselves as an authorized administrator on a fresh or partially configured instance. For instances running default configurations (which is the case for a significant portion of the 42,000 exposed instances), this vulnerability provides a direct path to full administrative control without any credentials.

The CVSS scores tell the story. The lowest of these is 7.4, which is conventionally categorized as “High.” The highest is 9.3, which is “Critical.” Every exposed instance is vulnerable to at least one of these CVEs, and most are vulnerable to multiple. Patching alone is not enough. You must fix the exposure AND patch the CVEs.

How to Fix It: Step-by-Step

Fixing an exposed OpenClaw instance takes less than ten minutes. The steps below are ordered by priority. Do them in sequence. Do not skip any.

Step 1: Change gateway.bind to 127.0.0.1

Edit your configuration file and set gateway.bind to 127.0.0.1. This tells OpenClaw to only accept connections from the local machine. Restart the gateway after making this change. Immediately, your instance is no longer listening on the public interface. External scanning tools will see a closed port instead of an OpenClaw gateway.

Step 2: Set up a reverse proxy with authentication

Install nginx or Caddy on the same machine. Configure it to proxy requests to 127.0.0.1:3000. Add authentication at the proxy layer. For nginx, this means configuring auth_basic with a strong password or integrating with an OAuth provider. For Caddy, use its built-in authentication middleware. This ensures that even if someone reaches your server’s port 80 or 443, they still need valid credentials before any traffic reaches OpenClaw.

Step 3: Enable OpenClaw’s built-in authentication

OpenClaw includes an authentication module that is disabled by default in many configurations. Enable it by setting gateway.auth.enabled: true and configuring a strong admin password. This provides defense in depth: even if the reverse proxy is bypassed or misconfigured, the gateway itself still requires authentication.

Step 4: Patch all CVEs

Update your OpenClaw installation to the latest version. The CVEs listed above (CVE-2026-41295, CVE-2026-41296 through 41302, CVE-2026-41342) have all been patched in the current stable release. Run openclaw gateway status to check your current version, then update using your package manager or the official update script. Do not assume your installation auto-updates. Many package managers only update when explicitly told to.

Step 5: Run the healthcheck skill

OpenClaw ships with a healthcheck skill that audits your configuration against security best practices. Run it with openclaw skill run healthcheck. It will scan your configuration for the common exposure patterns, check for unpatched CVEs, verify your authentication setup, and produce a report with any remaining issues. Fix everything it flags.

Step 6: Rotate all credentials

If your instance was exposed for any period of time, assume all API keys, passwords, and tokens stored in the configuration are compromised. Rotate them immediately. Generate new OpenAI API keys. Generate new Slack tokens. Generate new Telegram bot tokens. Generate new credentials for every service the agent connects to. This step is tedious but non-negotiable. The attackers who scanned your instance have already collected the keys they could find.

Step 7: Add external monitoring

Set up a monitoring service that checks for your OpenClaw port from outside your network and alerts you if it becomes accessible. This can be as simple as a cron job running the curl command from Step 1 and emailing you if it gets a response, or as robust as a dedicated monitoring service like UptimeRobot or Better Uptime. The goal is to catch re-exposure before attackers do.

The Trojan Horse Campaign: What Happened

The 42,000 exposure number is alarming on its own. What makes it a crisis is what attackers did with those exposures. According to TechRadar reporting from April 2026, an estimated 28,000 of those 42,000 exposed instances were compromised in a coordinated trojan horse agent attack campaign.

Here is how the campaign worked. Attackers scanned the internet for OpenClaw instances responding on port 3000. For each instance they found, they used the available CVEs (particularly CVE-2026-41342 for authentication bypass and CVE-2026-41295 for channel shadow injection) to gain access. Once inside, they did not simply steal data. They injected new agent instructions.

The injected instructions turned each compromised OpenClaw agent into a trojan horse. To the operator, everything looked normal. The agent responded to queries, connected to channels, and performed its regular functions. But the injected instructions added a hidden behavior: the agent would exfiltrate data to attacker-controlled servers, execute commands when triggered by specific keywords in incoming messages, and recruit other resources on the network.

Some of the compromised agents were used as part of a botnet for cryptomining and DDoS attacks. Others were used for credential harvesting, using the agent’s API access to probe connected services for additional credentials. The most sophisticated infections used the agents as living-off-the-land attackers, executing commands through the agent’s tooling rather than installing traditional malware, making them much harder for conventional antivirus tools to detect.

The campaign was discovered when several OpenClaw operators noticed unusual outbound traffic patterns from their gateway servers. The data exfiltration was happening over the same channels the agents normally used for legitimate communication, making it blend in with normal traffic. It was only when operators reviewed their API usage logs and noticed tokens being consumed at unusual times that the pattern became visible.

The 28,000 number is an estimate based on Shodan scans before and after the campaign, cross-referenced with known CVE exploitation patterns. The actual number may be higher. Many operators may never discover their instance was compromised, particularly if the attackers focused on stealth over damage.

This is not a theoretical risk. This is an active campaign that has already compromised tens of thousands of instances. If your instance was exposed at any point in the last six months, act on the assumption that it was compromised. Skip the diagnostic phase. Go directly to remediation.

Sources

This article is based on multiple sources: Shodan and Censys scan data analyzed by independent security researchers; TechRadar reporting on the OpenClaw exposure and trojan horse campaign (April 2026); the published CVE records for CVE-2026-41295, CVE-2026-41296 through 41302, and CVE-2026-41342; internal Scout intelligence on OpenClaw deployment patterns; and the OpenClaw project’s own security documentation, including the healthcheck skill.

Related Reading

Similar Posts