Clawdbot/Moltbot exposed admin dashboards enabled unauthenticated RCE and data leaks
Security researchers and vendors reported on 2026-01-27 that hundreds of internet-facing Clawdbot (rebranded Moltbot) admin dashboards were reachable without proper authentication. Some exposed panels allowed retrieval of API keys, conversation histories and, in certain deployments, unauthenticated command execution that could enable remote code execution. Multiple independent writeups described misconfigurations, plaintext secret storage, and unmoderated plugins as contributing factors.
Default-insecure deployments and localhost trust assumptions turned agent control panels into master keys for users' accounts.
Key facts
- What
- Security researchers and vendors reported on 2026-01-27 that hundreds of internet-facing Clawdbot (rebranded Moltbot) admin dashboards were reachable without proper authentication.
- Incident date
- Jan 27, 2026
- Who
- Clawdbot (rebranded Moltbot) open-source project
- Failure mode
- Data Leakage
- AI surface
- Agentic Workflow
- Severity
- High
What happened
On or around 2026-01-27 security researchers and vendor teams reported hundreds of Clawdbot/Moltbot instances with internet-accessible administrative dashboards. Investigations found cases where dashboards exposed configuration data, API keys and private conversation histories, and some deployments reportedly allowed unauthenticated command execution on the host. Researchers also demonstrated supply-chain or "skill" upload proofs of concept that could execute commands when a compromised skill was installed.
What broke inside the model
- 01 · TriggerA request triggers retrieval or context loading.
- 02 · Model stepThe context pulls in another user's content.
- 03 · Control gapNo boundary enforces isolation at the moment of output.
- 04 · FailurePrivate data crosses into the response.
- 05 · ConsequenceOne user sees another's data, and disclosure follows.
One user's content crosses the retrieval boundary into another's response.
The root causes reported were insecure-by-default deployment choices and deployment misconfigurations, including reverse proxy and localhost trust setups that auto-authenticated external requests. Secrets were stored in plaintext files on hosts in some deployments and the platform shipped with no enforced sandboxing or moderation of third-party "skills," creating a path for remote code execution via malicious or backdoored plugins. These architectural and configuration failures converted agent features that require broad access into large-scale identity and credential attack surfaces.
What it cost
Sources
- PressClawdbot becomes Moltbot, but can’t shed security concernstheregister.com
- PressMoltbot security alert exposed Clawdbot control panels risk credential leaks and account takeoversbitdefender.com
- PressClawdbot (Moltbot): When "Easy AI" Becomes a Security Nightmareintruder.io
Cite this entry
https://failureindex.ai/failures/clawdbot-moltbot-exposed-admin-dashboards-enabledAI Failure Index. "Clawdbot/Moltbot exposed admin dashboards enabled unauthenticated RCE and data leaks" (FI-0463). Realm Labs. https://failureindex.ai/failures/clawdbot-moltbot-exposed-admin-dashboards-enabled (indexed Jun 10, 2026).Data fields CC-BY 4.0, prose citation permitted. Incident ID FI-0463. Full dataset at /data.
Note from Realm Labs, the Index steward
How Realm would have caught this
- Prism
- OmniGuard
- AI Detection & Response (AIDR)
Realm can detect when a response is about to emit data that falls outside the bounds of the current user and context, and block or redact it inline, at the moment of generation rather than after the data has left.