Security Module — OpenClaw / Open WebUI Hardening

Why This Matters

17,000+ Exposed Instances. Two Unpatched Zero-Days.

The Problem

Open WebUI has 31+ known security vulnerabilities including two unpatched zero-day remote code execution flaws (CVSS 8.8). Over 17,000 instances sit exposed on the public internet. Active attacks are happening right now: cryptominers, data theft, API key harvesting, and the ClawHavoc supply chain attack that poisoned 20% of ClawHub skills with info-stealing malware.

The Solution

Three security resources: a 2-page quick-start that stops 80% of attacks in 15 minutes, a full Mac Mini hardening guide (9 steps), and a complete VPS hardening guide (13 steps). Each includes the exact commands, explains why they matter, and covers AI-specific threats no other guide addresses.

Active Threats

The CVEs You Need to Know

CVE-2026-0765

Command Injection via Crafted Skill

CRITICAL 8.8 • UNPATCHED

Upload a skill file that runs arbitrary commands on your server. One-click takeover.

CVE-2026-0766

Code Injection via Tool Loading

CRITICAL 8.8 • UNPATCHED

Inject code through the tool-loading system. Bypass all input validation.

CVE-2025-9074

Docker Container Escape

CRITICAL 9.3 • PATCHED v4.44.3

Attackers escape the container and take over your entire host machine.

CVE-2026-25253

One-Click RCE via Crafted Link

CRITICAL 8.8 • PATCHED v2026.1.29

Single link click grants full remote code execution on the server.

ClawHavoc Supply Chain Attack (Feb 2026)

1,184+ malicious skills were planted on ClawHub masquerading as crypto trading bots. They deployed AMOS info-stealer malware that harvests browser credentials, crypto wallets, SSH keys, and API keys. 2,419 skills were removed (42% of the registry). This is why you audit every skill before installing.

The 80/20

6 Steps That Stop 80% of Attacks

Whether you're on a VPS or Mac Mini, these 6 actions block the most common attack vectors. Each takes under 3 minutes.

Set Your Secret Key & Lock Registration

Generate a 64-char random key with openssl rand -hex 32. Set WEBUI_SECRET_KEY in your .env (Docker) or ~/.bashrc (Direct). Set ENABLE_SIGNUP=False.

Without this, your login tokens are predictable and anyone can create an admin account.

Block the Unpatched Zero-Days

Set ENABLE_PIP_INSTALL_FRONTMATTER_REQUIREMENTS=False. Then go to Admin Panel > Workspace > Permissions and remove workspace.tools from all non-admin users.

CVE-2026-0765 + CVE-2026-0766 are UNPATCHED (CVSS 8.8). These env vars + RBAC lockdown are the only blocks.

Bind Everything to Localhost

Docker: change ports to "127.0.0.1:3000:8080". Local models (Ollama, LM Studio): verify they show 127.0.0.1 not 0.0.0.0 or *.

Local model servers have ZERO authentication. On 0.0.0.0, anyone on your network can access your models and data.

Firewall: Block Everything Except SSH + Web

VPS: UFW with Docker-aware rules. Mac: Application Firewall + Stealth Mode + PF packet filter. Only allow the ports you actually need.

Docker bypasses UFW! Always bind ports to 127.0.0.1 first, then add Docker-aware iptables rules.

HTTPS via Reverse Proxy (Caddy)

3 lines in a Caddyfile. Auto-provisions TLS 1.3, certificate renewal, and HTTP-to-HTTPS redirect. Completely free. Alternative: Cloudflare Tunnel for zero open ports.

Update Everything — Now, Then Weekly

9+ CVEs since January 2026. OpenClaw v2026.1.29 patches the CVSS 8.8 one-click RCE. Docker Desktop must be v4.44.3+ to fix the container escape.

Full Hardening Guides

Beyond the 80/20

The complete guides go deeper with platform-specific hardening:

Mac Mini Guide (9 Steps)

Tailscale zero-trust remote access, three-layer macOS firewall (Application + PF + LuLu), macOS Keychain for API keys, FileVault encryption, SIP/Gatekeeper/XProtect verification, Docker Desktop hardening, automatic updates, AI-specific threat mitigations.

VPS Guide (13 Steps)

SSH key auth + fail2ban, Docker container isolation (read-only, cap_drop ALL, network segmentation), kernel sysctl hardening, CrowdSec intrusion detection, Caddy hardened config with security headers, Docker secrets for API keys, Cloudflare Tunnel alternative, encrypted offsite backups with Restic, AI-specific threat defense (SSRF, prompt injection, model poisoning).

AI-Specific Threats

Attacks That Only Target AI Systems

Malicious Skills (ClawHub) — 20% of marketplace skills were malware. Never install without reviewing source code. Use LuLu/network monitoring to catch skills phoning home.
Prompt Injection (OWASP #1 Risk) — Crafted inputs trick the AI into executing commands. Restrict workspace.tools to trusted admins only. Never let untrusted users upload RAG documents.
Model Poisoning — Download safety: SafeTensors (most secure) > GGUF (audit templates) > ONNX > Pickle (avoid entirely). Inspect Jinja2 chat templates for suspicious code.
API Key Exfiltration — Malicious skills can read environment variables and send keys to attackers via DNS queries. Use Keychain (Mac) or Docker secrets (VPS) instead of plain env vars.
SSRF (4 Separate Vulnerabilities) — Server-Side Request Forgery makes your server send requests to internal resources. Block cloud metadata endpoints (169.254.169.254). Enforce IMDSv2 on AWS.

Quick Reference

Security Checklist

WEBUI_SECRET_KEY set to 64-char random string

ENABLE_SIGNUP=False

ENABLE_PIP_INSTALL_FRONTMATTER_REQUIREMENTS=False

workspace.tools restricted to admins only

All ports bound to 127.0.0.1

Firewall active with Docker-aware rules

HTTPS via Caddy or Cloudflare Tunnel

SSH key-only auth (VPS) or Tailscale (Mac)

Docker hardened (icc:false, no-new-privileges)

API keys NOT in config files

Outbound traffic monitored (LuLu/CrowdSec)

Open WebUI updated to latest version

Prerequisites

Before You Start

Open WebUI or OpenClaw installed — Docker or direct install on VPS (Ubuntu/Debian) or Mac Mini (Apple Silicon)
Terminal access — SSH to your VPS or Terminal.app on Mac
15 minutes for the quick-start, 45-60 minutes for full hardening
No cybersecurity background required — every step explains what it does and why

Prompt 1 — Quick Security Audit

The 80/20 Security Hardening Script

Give this to your AI agent to audit and harden your Open WebUI / OpenClaw installation. It checks all 6 critical areas and generates a fix script.

security-audit-prompt.md

You are a security auditor for self-hosted AI systems. Your job is to audit an Open WebUI / OpenClaw installation and generate a hardening script. ## Step 1: Determine the Environment Ask the user: 1. **Platform**: VPS (Ubuntu/Debian) or Mac Mini (macOS)? 2. **Install type**: Docker (`docker ps`) or Direct Install (`which openclaw`)? 3. **Local models**: Running Ollama, Cortex, or LM Studio? ## Step 2: Run the Audit Check these 6 areas and report status for each: ### 1. Secret Key & Registration - Is WEBUI_SECRET_KEY set to a random 64-char string? (not default) - Is ENABLE_SIGNUP set to False? - Check: Docker `.env` file OR `~/.bashrc` / `~/.zshrc` exports ### 2. Zero-Day Mitigations - Is ENABLE_PIP_INSTALL_FRONTMATTER_REQUIREMENTS set to False? - Is workspace.tools permission removed from non-admin users? - These block CVE-2026-0765 (CVSS 8.8, UNPATCHED) and CVE-2026-0766 ### 3. Localhost Binding - Docker: ports should be "127.0.0.1:PORT:PORT" not "PORT:PORT" - Direct: `cat ~/.openclaw/openclaw.json | grep bind` should say "loopback" - Local models: `lsof -iTCP -sTCP:LISTEN -n -P | grep -E '11434|1234|39281'` Must show 127.0.0.1, NOT * or 0.0.0.0 ### 4. Firewall **VPS (UFW):** ``` sudo ufw status # Should show: default deny incoming, allow 22, 80, 443 ``` **IMPORTANT**: Docker bypasses UFW. Check /etc/ufw/after.rules for DOCKER-USER chain. **Mac:** ``` sudo /usr/libexec/ApplicationFirewall/socketfilterfw --getglobalstate # Should be enabled + stealth mode + block all ``` ### 5. HTTPS / Reverse Proxy - Is Caddy or Nginx configured as reverse proxy? - Is TLS active? Check: `curl -I https://your-domain.com` - Alternative: Cloudflare Tunnel (zero open ports) ### 6. Software Versions - Open WebUI: must be v2026.1.29+ (patches CVSS 8.8 one-click RCE) - Docker Desktop (Mac): must be v4.44.3+ (patches container escape CVE-2025-9074) - `sudo apt update && sudo apt list --upgradable` (VPS) ## Step 3: Generate Fix Script For each FAILED check, output the exact commands to fix it. Format as a bash script with comments explaining each fix. Add a "VERIFY" command after each fix so the user can confirm it worked. ## Step 4: Check for AI-Specific Threats - Are any marketplace skills installed? List them and flag unaudited ones. - Are API keys stored in config files instead of Keychain/secrets? - Is outbound traffic monitored? (LuLu on Mac, CrowdSec on VPS) - Model download safety: check for any .pkl files (unsafe format) ## Output Format ``` SECURITY AUDIT REPORT ===================== Platform: [VPS/Mac] | Install: [Docker/Direct] [PASS] Secret Key: 64-char random key set [FAIL] Registration: ENABLE_SIGNUP not set to False [FAIL] Zero-Day: PIP_INSTALL not disabled [PASS] Localhost: All services bound to 127.0.0.1 [WARN] Firewall: Active but missing Docker-aware rules [PASS] HTTPS: TLS 1.3 via Caddy Score: 4/6 passed | 1 warning | 1 critical FIX SCRIPT: ----------- [generated bash commands] ```

Prompt 2 — Full Hardening Guide

Complete Platform-Specific Hardening

This prompt walks through the complete hardening guide for either Mac Mini or VPS. It covers all steps beyond the 80/20 quick-start.

full-hardening-prompt.md

You are a security hardening specialist for self-hosted AI systems. Walk the user through the COMPLETE hardening process based on their platform. ## Determine Platform First Ask: "Are you on a **Mac Mini** (macOS) or a **VPS** (Ubuntu/Debian Linux)?" --- ## MAC MINI HARDENING (9 Steps) ### Step 1: Lock Local Model to Localhost ```bash lsof -iTCP -sTCP:LISTEN -n -P | grep -E '11434|1234|39281' # Must see 127.0.0.1 — NOT * or 0.0.0.0 # Fix Ollama: launchctl setenv OLLAMA_HOST "127.0.0.1" launchctl setenv OLLAMA_ORIGINS "http://localhost:3000" # Quit and reopen Ollama from menu bar ``` ### Step 2: Install Tailscale (Zero-Trust Remote Access) ```bash brew install --cask tailscale sudo tailscale up --ssh # Access via 100.x.y.z — close ALL public ports ``` CRITICAL: Use `tailscale serve` (private). NEVER `tailscale funnel` (public). ### Step 3: Three-Layer macOS Firewall Layer 1 — Application Firewall: ```bash sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setglobalstate on sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode on sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setblockall on ``` Layer 2 — PF Packet Filter (create /etc/pf.anchors/com.local.server): ``` ext_if = "en0" block in all pass out all flags S/SA keep state pass quick on lo0 all pass quick on utun3 all # Tailscale pass in on $ext_if proto tcp to any port 22 flags S/SA keep state \ (max-src-conn 5, max-src-conn-rate 3/30, overload <bruteforce> flush global) block in quick from <bruteforce> sudo pfctl -Ef /etc/pf.conf ``` Layer 3 — LuLu (Outbound Monitor): ```bash brew install --cask lulu ``` Allow Docker Desktop and Tailscale. Question everything else. ### Step 4: Set Security Variables ```bash openssl rand -hex 32 # Copy output # Add to ~/.zshrc: export WEBUI_SECRET_KEY=paste_your_key_here export ENABLE_SIGNUP=False export ENABLE_PIP_INSTALL_FRONTMATTER_REQUIREMENTS=False source ~/.zshrc ``` Also: Admin Panel > Workspace > Permissions > Remove workspace.tools from non-admins. ### Step 5: FileVault & macOS Security ```bash fdesetup status # Check FileVault sudo fdesetup enable # Enable if not csrutil status # SIP must be enabled spctl --status # Gatekeeper must be enabled ``` ### Step 6: Update Docker Desktop Must be v4.44.3+ (fixes CVE-2025-9074, container escape CVSS 9.3). ```bash brew upgrade --cask docker docker --version ``` ### Step 7: API Keys in macOS Keychain ```bash security add-generic-password -a "$USER" -s "openwebui_secret" -w "your-key" # Use in launch scripts: export WEBUI_SECRET_KEY="$(security find-generic-password -a $USER -s openwebui_secret -w)" ``` ### Step 8: Enable Automatic Updates ```bash sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticCheckEnabled -bool true sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate AutomaticDownload -bool true sudo defaults write /Library/Preferences/com.apple.SoftwareUpdate CriticalUpdateInstall -bool true ``` ### Step 9: AI-Specific Threats - Audit all installed skills for os.environ access, external URLs, file operations - Never install marketplace skills without reviewing source - Model downloads: SafeTensors > GGUF > ONNX > Pickle (avoid) --- ## VPS HARDENING (13 Steps) ### Steps 1-4: Basics (same as 80/20) Secret key, zero-day blocks, localhost binding, UFW + Docker-aware rules. ### Step 5: Reverse Proxy (Caddy Hardened Config) ``` your-domain.com { encode zstd gzip tls { protocols tls1.3 } header { Strict-Transport-Security "max-age=31536000; includeSubDomains" X-Content-Type-Options "nosniff" X-Frame-Options "SAMEORIGIN" Referrer-Policy "strict-origin-when-cross-origin" -Server } reverse_proxy localhost:8080 { header_up X-Real-IP {remote_host} } } ``` Alternative: Cloudflare Tunnel (zero open ports). ### Step 6: Harden SSH ```bash # Generate Ed25519 key (on YOUR machine): ssh-keygen -t ed25519 -a 100 -f ~/.ssh/server_key ssh-copy-id -i ~/.ssh/server_key.pub user@your_server_ip # Create /etc/ssh/sshd_config.d/hardening.conf: PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes MaxAuthTries 3 Port 2222 AllowUsers deployuser # Install fail2ban: sudo apt install fail2ban -y ``` ### Step 7: Harden Docker ```json // /etc/docker/daemon.json { "icc": false, "no-new-privileges": true, "userland-proxy": false, "live-restore": true, "log-driver": "json-file", "log-opts": { "max-size": "10m", "max-file": "5" } } ``` Hardened docker-compose: read_only, cap_drop ALL, cap_add NET_BIND_SERVICE, resource limits, network segmentation (internal:true for backend). ### Step 8: Kernel Hardening (sysctl) SYN flood protection, ICMP redirect blocking, IP spoofing, memory randomization, kernel info restriction. ### Step 9: Intrusion Detection (CrowdSec) Community-powered threat intelligence. Blocks malicious IPs automatically. ### Step 10: Security Environment Variables (all of them) WEBUI_SECRET_KEY, JWT_EXPIRES_IN=7d, ENABLE_SIGNUP=False, DEFAULT_USER_ROLE=pending, CORS_ALLOW_ORIGIN, WEBUI_SESSION_COOKIE_SECURE=True, AUDIT_LOG_LEVEL=REQUEST, ENV=prod. ### Step 11: API Keys in Docker Secrets ```bash echo "sk-ant-your-key" | docker secret create anthropic_key - ``` ### Step 12: AI-Specific Threats Prompt injection, malicious skills, SSRF (block 169.254.169.254), model poisoning. ### Step 13: Encrypted Backups (Restic) ```bash sudo apt install restic -y restic init -r s3:https://s3.amazonaws.com/your-bucket/backups restic backup /opt/open-webui /var/lib/docker/volumes /etc/docker ``` --- ## Output: Security Checklist After completing all steps, generate a platform-specific checklist showing pass/fail for every item. Present it as a copyable markdown checklist.

The Security Module