Clawdbot Vulnerability Exposes API Keys and Private Chats: Over 900 Instances at Risk
Clawdbot, an open-source AI agent gateway, has recently come under scrutiny due to significant security vulnerabilities. Over 900 unauthenticated instances have been discovered online, exposing sensitive data such as API keys and private chat histories.
Understanding Clawdbot
Clawdbot serves as a personal AI assistant, integrating seamlessly with various messaging platforms, including WhatsApp, Telegram, Slack, Discord, Signal, and iMessage. Its architecture comprises two main components:
1. Gateway: Manages control plane operations like WebSocket handling, tool execution, and credential management.
2. Control UI: A web-based interface for configuration, viewing conversation history, and managing API keys.
Typically deployed via npm on Node.js versions 22 and above, Clawdbot defaults to loopback binding on port 18789. It also supports remote access configurations through Tailscale or reverse proxies such as nginx and Caddy.
Discovery of Exposed Instances
Security researcher Jamieson O’Reilly highlighted these vulnerabilities in a detailed analysis on January 23, 2026. Utilizing Shodan, a search engine for internet-connected devices, O’Reilly identified hundreds of publicly accessible Clawdbot instances shortly after their deployment. By searching for the unique HTML title tag Clawdbot Control, he uncovered over 900 exposed gateways operating on port 18789, many lacking proper authentication measures.
Root Cause of the Vulnerability
The primary issue stems from Clawdbot’s authentication logic, which automatically approves localhost connections. This design, intended for local development, becomes problematic when Clawdbot is deployed behind reverse proxies. These proxies forward traffic via the loopback address (127.0.0.1), inadvertently bypassing authentication checks. The default configuration of `gateway.trustedProxies` being empty means that X-Forwarded-For headers are ignored, allowing unauthorized access.
O’Reilly confirmed this vulnerability through source code analysis, noting that socket addresses appearing as local granted automatic access to WebSockets and the Control UI. A GitHub issue has been raised to address this exposure. In response, O’Reilly submitted a hardening pull request, and the documentation now recommends setting `trustedProxies: [127.0.0.1]` and configuring proxy-overwriting headers to prevent spoofing.
Potential Impacts of the Exposure
The exposure of these Clawdbot instances poses several significant risks:
1. Credential Theft: Unauthorized access can lead to the theft of API keys, bot tokens, and signing secrets, compromising services like Anthropic, Telegram, and Slack.
2. Data Exfiltration: Attackers can access and exfiltrate months of private messages and files from conversation histories.
3. Command Execution: Some instances run as root containers, allowing attackers to execute arbitrary host commands without authentication.
4. Signal Integration Exploitation: Device linking URIs can be exploited, enabling attackers to pair their devices for full access.
Recommended Mitigation Strategies
To address these vulnerabilities, Clawdbot users are advised to:
– Conduct Security Audits: Utilize tools like `clawdbot security audit –deep` to identify and flag exposures.
– Tighten Access Controls: Review and adjust direct message and group policies to enforce stricter permissions.
– Configure Trusted Proxies: Set `gateway.auth.mode` to password using the `CLAWDBOT_GATEWAY_PASSWORD` environment variable and define trusted proxies appropriately.
– Rotate Secrets: In the event of exposure, promptly rotate authentication tokens, model keys, and channel credentials to mitigate potential damage.
– Utilize Secure Access Methods: Consider using Tailscale Serve/Funnel or Cloudflare Tunnels instead of direct bindings to enhance security.
The latest Clawdbot release (2026.1.14-1, dated January 15) predates these reports. Users should run `clawdbot doctor` to apply necessary migrations and updates.
Conclusion
The discovery of over 900 exposed Clawdbot instances underscores the critical importance of secure deployment practices for AI agent gateways. By implementing the recommended mitigation strategies, users can safeguard their systems against unauthorized access and potential data breaches.
