Comprehensive Threat Exposure Management Platform
CVE-2026-25253 is a high-impact remote code execution vulnerability in the open-source AI agent OpenClaw (Clawdbot/Moltbot) caused by improper trust of a user-controlled gatewayUrl parameter. A single malicious link can trigger a “1-click” exploit that leaks authentication tokens and enables WebSocket hijacking, allowing attackers to execute arbitrary commands on the victim’s local system. The attack requires no prior authentication and bypasses local network protections by leveraging the victim’s browser to access localhost services. Developer environments are particularly at risk due to common use of local and privileged deployments. All versions prior to v2026.1.29 are affected and should be patched immediately, with exposed credentials rotated. The vulnerability was first disclosed on January 26, 2026, and proof-of-concept exploits are publicly available.
CVE-2026-25253 is a high-severity remote code execution vulnerability affecting the open-source AI agent OpenClaw (also known as Clawdbot or Moltbot). The flaw originates from improper trust of a user-supplied gatewayUrl parameter, causing the application to automatically establish a WebSocket connection without sufficient validation.
An attacker can exploit this issue through a single malicious link or webpage, researchers describe it as a “1-Click RCE Kill Chain” that executes in milliseconds. When a victim interacts with the crafted URL, OpenClaw inadvertently transmits its authentication token to an attacker-controlled endpoint. The attacker can then hijack the WebSocket session to gain unauthorized access to the local OpenClaw instance, resulting in arbitrary command execution. This technique effectively bypasses local network protections by abusing the victim’s browser as a bridge to localhost services.
The attack requires no prior authentication or special privileges, making it particularly dangerous in developer environments where OpenClaw often runs locally or with elevated permissions. The risk is further amplified by missing WebSocket origin validation, enabling cross-site WebSocket hijacking and full instance compromise.
All OpenClaw versions prior to v2026.1.29 are affected. Proof-of-concept exploits are publicly available, increasing the likelihood of active exploitation. Users should upgrade immediately, rotate any exposed tokens or credentials, and review logs for suspicious WebSocket activity. Due to its low interaction cost and high impact, this vulnerability should be treated as critical in any environment using OpenClaw.
Install the latest version of OpenClaw (2026.1.29 or later) without delay. This patch addresses the vulnerability by implementing a gateway URL confirmation modal that requires explicit user approval before connecting to new gateway URLs, eliminating the automatic token exfiltration attack vector. Organizations should prioritize this update as the vulnerability is trivially exploitable and proof-of-concept code is publicly available.
After applying the patch, immediately generate a new authToken for all OpenClaw instances. Additionally, rotate API keys for all connected services including messaging platforms (Slack, Discord, Telegram), cloud providers (AWS, GCP, Azure), and any other integrated services. Assume that credentials may have been compromised if your instance was running an unpatched version, particularly if users may have visited untrusted websites while the OpenClaw interface was active.
Review authentication logs, WebSocket connection logs, and command execution histories for any anomalies dating back to January 26, 2026 or earlier. Search specifically for unexpected WebSocket connections to external IP addresses, unauthorized configuration changes to sandbox settings or approval policies, and execution logs containing suspicious commands such as process.mainModule.require, child_process, or execSync patterns.
Restrict the OpenClaw Control UI to trusted network segments only and avoid exposing the interface to the public internet. Consider implementing VPN requirements for administrative access and deploy web application firewalls to detect and block malicious URL parameters targeting the gatewayUrl vulnerability.
Implement Content Security Policy headers and consider deploying browser isolation technologies for users who access OpenClaw interfaces. Train users to recognize social engineering attacks that may attempt to redirect them to malicious URLs designed to exploit this vulnerability.
Maintain an inventory of all OpenClaw deployments across your organization and implement automated vulnerability scanning to detect unpatched instances. Establish a process for monitoring security advisories from the OpenClaw project and evaluate implementing a containerized deployment strategy with restricted network access to minimize the impact of future vulnerabilities.
Initial Access
Credential Access
Execution
Command and Control
Privilege Escalation
Get through updates and upcoming events, and more directly in your inbox