Gateway Security Improvements
Hey Hummingbot community 👋
Lately, we’ve been monitoring a sharp rise in automated bots scanning cloud servers for vulnerabilities. These bots probe for exposed API ports and attempt to exploit any they find — including setups where Gateway or Hummingbot API are reachable from the public internet.
To keep your funds and private keys safe, we’ve shipped Gateway v2.15.1, a security-only patch that removes unsafe wallet operations from the server side. We strongly recommend updating immediately — especially if you’re running on a cloud server.
Hummingbot API was updated at the same time to reflect these changes.
What this means for you:
Going forward, wallets must be imported using keys you generate externally — either via POST /wallet/add (Gateway) or POST /accounts/gateway/add-wallet (Hummingbot API). Safe wallet routes (viewing, adding hardware wallets, removing, setting default) are unchanged.
Action required:
Update Gateway to v2.15.1
Pull the latest
mainbranch of Hummingbot API
⚠️ If your setup relies on the removed wallet operations, you’ll need to switch to importing wallets instead.
🔒 Pro tip: Secure your cloud setup with Tailscale
Running Hummingbot on a cloud server? Consider using Tailscale to access your instance without exposing it to the public internet. It creates a private network (”tailnet”) so only your devices can reach your Hummingbot API and Gateway — no open ports, no scanning bots.
We’ve put together a step-by-step guide:
🔗 https://hummingbot.org/blog/securing-condor-and-hummingbot-api-with-tailscale/
This is a strongly recommended update for all users, especially anyone running on cloud infrastructure. Stay safe out there! 🔒
Michael Feng
Co-founder, Hummingbot
