How many OpenClaw instances are exposed to the internet?

Penligent research found over 220,000 exposed instances as of April 2026, up from SecurityScorecard's initial finding of 40,214 in February. The number grew 5x as adoption surged.

Why are so many OpenClaw instances exposed?

OpenClaw ships without authentication by default, and many users deploy directly to public cloud VMs without configuring firewalls or access controls. The setup documentation doesn't emphasize security hardening.

Which countries have the most exposed OpenClaw instances?

China leads with the most exposed instances, followed by the United States and Singapore. Information services is the most impacted industry.

How many exposed instances are vulnerable to remote code execution?

Of the 40,214 initially identified by SecurityScorecard, 12,812 were directly vulnerable to remote code execution (RCE) via known CVEs with public exploit code.

What's the difference between exposed and compromised OpenClaw instances?

Exposed means accessible from the internet without proper access controls. Compromised means actively exploited by attackers. Not all exposed instances are compromised, but all are at risk.

← Back to dashboard

clawsmith.com/signal/openclaw-220k-exposed-instances-penligent-april-2026

⚠ IssueWide OpenLive

Over 220,000 OpenClaw Instances Exposed to Internet — Agent Runtimes Go Naked at Scale

Penligent research reveals 220,000+ OpenClaw instances exposed to the internet, a massive increase from SecurityScorecard's initial 40K finding. Exposure grew 5x as adoption surged. 63% operate without authentication.

Product Idea from this Signal

A CI/CD security gate that blocks OpenClaw deployments failing CVE, config, and network exposure checks

892 ▲

OpenClaw has accumulated 138+ CVEs in under 3 months, with 220,000+ instances exposed to the internet and 63% running without authentication. Kaspersky declared it unsafe for use. Existing tools (SecureClaw, Carapace, ClawSec) run audits after deployment, but nothing blocks a bad deployment from going live. This is a pre-deploy security gate that integrates into CI/CD pipelines, runs automated CVE version checks, config hardening validation, and network exposure scans, and fails the deploy if the instance doesn't meet a configurable security baseline.

CLICI-CDSECURITYDEVOPSOPEN-SOURCE

CompetitiveView Opportunity →