SecurityScorecard just dropped a bombshell on the OpenClaw community, and it ain't pretty. Their latest scan identified 40,214 exposed OpenClaw instances floating around the wild โ€” and here's the kicker: 63% of them are running vulnerable. That's roughly 25,000 containers with known attack vectors just waiting to get popped.

The CVE That Changes Everything

Enter CVE-2026-25253 with a CVSS score of 8.8 โ€” that's serious business in vulnerability terms. The exploit lets attackers extract your precious API keys in just 30 seconds through WebSocket manipulation. We're talking about the keys that give attackers access to your LLM backends, your tool chains, everything. Twelve thousand eight hundred and twelve instances can be exploited via remote code execution. This isn't theoretical โ€” it's actively happening out there.

Root Containers: The Original Sin

Here's where it gets really embarrassing. Fifty-eight percent of OpenClaw containers are still running as root with default capabilities. That means if someone compromises your container, they own the entire host. No privilege separation, no capability dropping โ€” just a ticking time bomb sitting on your infrastructure. This isn't a sophisticated attack; it's low-hanging fruit that script kiddies can grab.

The 6-Step Hardening Playbook

The guide breaks down practical Docker hardening into six actionable areas. First, run your containers as non-root with dropped capabilities โ€” this alone limits blast radius significantly. Second, implement a read-only filesystem with targeted tmpfs mounts only where you need write access. Third, pin your images to SHA256 digests instead of using 'latest' tags โ€” this prevents supply chain tampering. Fourth, isolate containers with internal bridge networks so they can't reach the broader network unnecessarily.

Key Takeaways

  • Drop all capabilities and run as non-root user from the start
  • Use read-only root filesystems, mount tmpfs only where writes are required
  • Pin images to SHA256 digests, never pull 'latest' tags
  • Isolate with internal bridge networks to limit lateral movement
  • Restrict tool execution (block system.run, deny sensitive paths)
  • Set CPU and memory limits to prevent resource exhaustion attacks

The Bottom Line

The OpenClaw ecosystem has a massive security debt to pay. If you're running any of those 40,000+ exposed instances without hardening, you're not just risking your own deployment โ€” you're providing a potential pivot point for attacks on the broader AI agent infrastructure. The CVE is public, the exploit is trivial, and there's no excuse for running root containers in 2026. Lock them down or get popped.