OpenClaw is open-source AI agent software with around 138 known CVEs accumulated by April 2026, 41% rated High or Critical. Pre-1.0 plus fast iteration means a big attack surface. Don’t want to chase security advisories yourself? Use ZenClaw. MixerBox AI’s managed service has the core hardening items below on by default. This post is for engineers willing to self-host who want to minimize risk.
Why OpenClaw needs hardening
OpenClaw runs on your host, has network access, has filesystem access, and executes commands the AI generates dynamically. Any weak link here becomes exploitable. Blink’s 2026 numbers show around 138 CVEs added over 63 days, averaging 2.2 a day. Compared to typical server software, that’s a high rate. Hardening isn’t optional. It’s the baseline.
10 must-do hardening items (in priority order)
Do these in order: high-impact first, diminishing returns last. Each item closes a real, known attack surface.
- Upgrade to the latest release: New CVEs are almost always patched first in the latest release. Subscribe to github.com/openclaw/openclaw releases.
- Bind the gateway to 127.0.0.1: Loopback by default. Don’t change it to
0.0.0.0. The official security docs spell this out. (ZenClaw binds the gateway to 127.0.0.1 with port 18789 behind the architecture by default.) - Use a 64-character random gateway token: Don’t use the default or a short token.
- Firewall port 18789: Deny externally by default. Use an SSH tunnel for local tools.
- Remote access through Tailscale (or WireGuard): Don’t open the port on the public internet.
- Docker container isolation: Don’t run directly on the host. Don’t mount all of
/. Only mount~/.openclaw. credentials/directory encrypted with 600 permissions: A leaked Baileys session means your WhatsApp gets hijacked.- Grep ClawHub skill source before installing: Check for suspicious network requests, shell execution, or secret reads.
- Restrict which tools AI models can call: A wrong tool call can burn API credits or do things it shouldn’t.
- Audit logs regularly: Check
logs/at least weekly. Watch for unfamiliar IPs and token attempts.
The self-hosting limit: you can’t keep up with CVE velocity
Even if you do all 10 items, a pre-1.0 project shipping around 2 CVEs a day isn’t something a solo dev or small team can realistically track. Enterprise threat models also require network segmentation, intrusion detection, centralized logs, and regular penetration testing. For most SMBs, that’s way beyond a reasonable investment.
ZenClaw’s default security posture (side by side)
ZenClaw ships with the core hardening items preconfigured — from gateway binding to firewall to allowlist to CVE tracking, you don’t handle any of it. Side by side:
| Hardening item | Self-host OpenClaw | Self-host NemoClaw | ZenClaw |
|---|---|---|---|
| Gateway binding | You set 127.0.0.1 | You set it | ✅ Default (127.0.0.1 + port 18789) |
| Strong token | You generate it | You generate it | ✅ Auto-rotation |
| Firewall rules | Write your own iptables | Write your own | ✅ Default deny |
| Network allowlist | Maintain it yourself | Write JSON policy yourself | ✅ Click-to-configure UI with allowlist |
| Sandbox isolation | None | OpenShell (self-config) | ✅ Plans include NemoClaw sandbox (NVIDIA enterprise) |
| CVE tracking + upgrades | You | You | ✅ We handle it |
| Skill allowlist | You vet them | You vet them | ✅ Platform-managed |
Wrap-up
Self-hosted OpenClaw security isn’t a one-time job. It’s a long-term ops cost. If you don’t want to spend your weekends tracking CVEs, writing iptables rules, and vetting skills, ZenClaw bundles the core items. Click “Hire AI Employees Now” on the homepage to start.