Ravie LakshmananFeb 02, 2026Vulnerability / Synthetic Intelligence
A high-severity safety flaw has been disclosed in OpenClaw (previously known as Clawdbot and Moltbot) that might permit distant code execution (RCE) by means of a crafted malicious hyperlink.
The problem, which is tracked as CVE-2026-25253 (CVSS rating: 8.8), has been addressed in model 2026.1.29 launched on January 30, 2026. It has been described as a token exfiltration vulnerability that results in full gateway compromise.
“The Management UI trusts gatewayUrl from the question string with out validation and auto-connects on load, sending the saved gateway token within the WebSocket join payload,” OpenClaw’s creator and maintainer Peter Steinberger mentioned in an advisory.
“Clicking a crafted hyperlink or visiting a malicious website can ship the token to an attacker-controlled server. The attacker can then connect with the sufferer’s native gateway, modify config (sandbox, device insurance policies), and invoke privileged actions, attaining 1-click RCE.”
OpenClaw is an open-source autonomous synthetic intelligence (AI) private assistant that runs domestically on person units and integrates with a variety of messaging platforms. Though initially launched in November 2025, the venture has gained fast reputation in current weeks, with its GitHub repository crossing 149,000 stars as of writing.
“OpenClaw is an open agent platform that runs in your machine and works from the chat apps you already use,” Steinberger mentioned. “In contrast to SaaS assistants the place your knowledge lives on another person’s servers, OpenClaw runs the place you select – laptop computer, homelab, or VPS. Your infrastructure. Your keys. Your knowledge.”
Mav Levin, founding safety researcher at depthfirst who’s credited with discovering the shortcoming, mentioned it may be exploited to create a one-click RCE exploit chain that takes solely milliseconds after a sufferer visits a single malicious internet web page.
The issue is that clicking on the hyperlink to that internet web page is sufficient to set off a cross-site WebSocket hijacking assault as a result of OpenClaw’s server would not validate the WebSocket origin header. This causes the server to simply accept requests from any web site, successfully getting round localhost community restrictions.
A malicious internet web page can benefit from the difficulty to execute client-side JavaScript on the sufferer’s browser that may retrieve an authentication token, set up a WebSocket connection to the server, and use the stolen token to bypass authentication and log in to the sufferer’s OpenClaw occasion.
To make issues worse, by leveraging the token’s privileged operator.admin and operator.approvals scopes, the attacker can use the API to disable person affirmation by setting “exec.approvals.set” to “off” and escape the container used to run shell instruments by setting “instruments.exec.host” to “gateway.”
“This forces the agent to run instructions straight on the host machine, not inside a Docker container,” Levin mentioned. “Lastly, to attain arbitrary command execution, the attacker JavaScript executes a node.invoke request.”
When requested whether or not OpenClaw’s use of the API to handle the security options constitutes an architectural limitation, Levin advised The Hacker Information in an emailed response that, “I might say the issue is these defenses (sandbox and security guardrails) had been designed to comprise malicious actions of an LLM, because of immediate injection, for instance. And customers would possibly assume these defenses would defend from this vulnerability (or restrict the blast radius), however they do not.”
Steinberger famous within the advisory that “the vulnerability is exploitable even on cases configured to pay attention on loopback solely, for the reason that sufferer’s browser initiates the outbound connection.”
“It impacts any Moltbot deployment the place a person has authenticated to the Management UI. The attacker beneficial properties operator-level entry to the gateway API, enabling arbitrary config modifications and code execution on the gateway host. The assault works even when the gateway binds to loopback as a result of the sufferer’s browser acts because the bridge.”
