SecurityScorecard recently identified 40,214 exposed OpenClaw instances in the wild. 63% of them are vulnerable, and 12,812 can be exploited via remote code execution. CVE-2026-25253 (CVSS 8.8) lets an attacker extract API keys in 30 seconds through WebSocket manipulation.
58% of OpenClaw containers still run as root with default capabilities.
I put together a practical hardening guide that covers 6 areas:
- Running containers as non-root with dropped capabilities
- Read-only filesystem with targeted tmpfs mounts
- Image pinning to SHA256 digests (not
latest) - Network isolation with internal bridge networks
- Tool and workspace restrictions (blocking
system.run, denying sensitive paths) - CPU and memory resource limits
Each section includes the actual Docker Compose config you need. No theory, just copy-paste hardening.
Top comments (0)