The Docker Mistake That Exposes 63% of OpenClaw Instances
A guy runs OpenClaw on his home server for two weeks. Checks his logs.
11,000 attacks in a single 24-hour window.
He's not special. He's average. Every OpenClaw instance exposed to the internet sees this. Most people just never check.
40,000 Instances. Wide Open.
By the time CVE-2026-25253 was publicly disclosed on February 3, researchers had already found over 40,000 OpenClaw instances exposed on the open internet.
63% were assessed as vulnerable to remote exploitation.
Not "theoretically vulnerable." Not "vulnerable under specific conditions." Vulnerable. Right now. No special tools needed.
That's roughly 25,000 machines where an attacker could gain full control by getting someone to click a link.
The One-Click Attack
Here's how CVE-2026-25253 works. It's almost embarrassingly simple.
OpenClaw runs a local server with a web UI. The Control UI accepts a URL parameter called gatewayUrl. It connects to whatever you put in that field and sends your authentication token along for the ride.
No origin validation on the WebSocket connection. No check that the gateway URL is actually yours.
So an attacker creates a webpage. Embeds a crafted URL. You click it. Your browser connects to the attacker's server, sends your OpenClaw auth token, and it's over.
From there: full code execution on your machine. Every file. Every credential. Every API key.
One click. That's all it took.
The OpenClaw team patched it in two days. But how many of those 40,000 exposed instances updated in time?
The Docker Mistake Everyone Makes
Most of those exposed instances share the same misconfiguration. It goes like this:
You want OpenClaw accessible remotely. So you bind the port in Docker:
ports:
- "0.0.0.0:3000:3000"
Or worse, you don't specify a bind address at all — and Docker defaults to binding on all interfaces.
You think: "I'll put nginx in front. I'll add auth later."
Later never comes.
Even when it does, there's a subtlety that kills you. OpenClaw trusts requests that appear to come from localhost. Your reverse proxy forwards the request. The origin headers get stripped or mangled. OpenClaw sees "localhost" and waves it through.
No auth check. Full admin access. From the public internet.
This isn't a Docker bug. It's not an OpenClaw bug. It's the gap between "meant for localhost" and "deployed to a server." A gap that catches people every single time.
What Attackers Actually Do
Once they find an exposed instance, the playbook is predictable:
First: steal credentials. OpenAI keys, Anthropic keys, AWS tokens. Anything in environment variables or config files. These get sold or used immediately. A stolen OpenAI key can rack up thousands in charges in hours.
Second: read everything. Chat history, uploaded documents, business context. If your agent has seen it, the attacker can see it.
Third: pivot. SSH keys stored on the host. Docker socket access. From one exposed OpenClaw instance, they move laterally to everything that server can reach.
Fourth: persist. Install a backdoor skill. Modify the config. Create a webhook that phones home. Even if you notice and patch the original vulnerability, they're already inside.
China Noticed
This isn't just a Western concern. Chinese tech hubs have been promoting OpenClaw heavily — and Chinese regulators have started restricting it over security fears.
The tension is real: OpenClaw is incredibly useful. It's also incredibly risky when deployed carelessly.
How to Not Be the 63%
Bind to localhost only. Never expose OpenClaw's port to the public internet directly:
ports:
- "127.0.0.1:3000:3000"
This one change eliminates the most common exposure vector.
Put it behind authentication. Not "I'll add it later." Now. Before the first deploy. Basic auth at the reverse proxy level is better than nothing.
Don't mount the Docker socket. If your agent needs Docker access, use a socket proxy with scoped permissions. Raw docker.sock mounts give agents root-equivalent access to the host.
Check your exposure. Search Shodan or Censys for your IP. If your OpenClaw instance shows up, you're already in the 40,000.
Or skip all of it. Clawctl deploys behind gateway authentication by default. The instance is never directly exposed. No public ports. No reverse proxy configuration to get wrong. No "I'll add auth later" gamble.
The Math
Self-hosting OpenClaw securely requires:
- Reverse proxy with proper auth
- Correct Docker networking
- Firewall rules
- TLS configuration
- Regular patching
- Monitoring and alerting
Miss one step and you're exposed. Get all of them right and you still need to maintain them through every update.
Or pay $49/month and stop thinking about it.
The 40,000 exposed instances prove that most people get this wrong. Not because they're incompetent. Because the default path leads to exposure, and the secure path requires active effort at every step.
40,000 exposed. 63% vulnerable. One click to compromise. The numbers don't lie. If you're exposing OpenClaw to the internet, the odds are against you.