A high-severity security flaw has been disclosed in OpenClaw (formerly known as Clawdbot and Moltbot) that could allow remote code execution (RCE) via a crafted malicious link.
Issue, which is tracked as CVE-2026-25253 (CVSS score: 8.8), has been addressed in version 2026.1.29, released on January 30, 2026. It is described as a token exfiltration vulnerability that leads to full gateway compromise.
“The Control UI relies on the gateway URL from the query string without validation and auto-connects on load, sending the gateway token stored in the WebSocket Connect payload,” Peter Steinberger, creator and maintainer of OpenClave, said in an advisory.
“Clicking a crafted link or visiting a malicious site can send a token to an attacker-controlled server. The attacker can then connect to the victim’s local gateway, modify the configuration (sandbox, tool policies), and implement privileged actions, achieving 1-click RCE.”
OpenClaw is an open-source autonomous artificial intelligence (AI) personal assistant that runs natively on user devices and integrates with a wide range of messaging platforms. Although initially released in November 2025, the project has rapidly gained popularity in recent weeks, with its GitHub repository surpassing 149,000 stars at the time of writing.
“OpenCla is an open agent platform that runs on your machine and works with the chat apps you already use,” Steinberger said. “Unlike SaaS assistants, where your data lives on someone else’s server, OpenClaw runs where you choose – laptop, homelab, or VPS. Your infrastructure. Your keys. Your data.”
Security researcher Mav Levin, the founder of DepthFirst, who is credited with discovering the flaw, said it could be used to create a one-click RCE exploit chain that takes mere milliseconds after a victim visits a malicious web page.
The problem is that clicking the link on that web page is enough to trigger a cross-site WebSocket hijacking attack because OpenClaw’s server does not validate the WebSocket Origin header. This causes the server to accept requests from any website, effectively bypassing localhost network restrictions.
A malicious web page could leverage the issue to execute client-side JavaScript on the victim’s browser that could retrieve the authentication token, establish a WebSocket connection to the server, and use the stolen token to bypass authentication and log into the victim’s OpenClaw instance.
To make matters worse, by leveraging the privileged operator.admin and operator.approvals scopes of the token, the attacker can use the API to disable user confirmation by setting “exec.approvals.set” to “off” and bypass the container used to run shell tools by setting “tools.exec.host” to “gateway”.
“This forces the agent to run commands directly on the host machine, not inside a Docker container,” Levin said. “Finally, to achieve arbitrary command execution, the attacking JavaScript executes a node.invoke request.”
Asked whether OpenGL’s use of APIs to manage security features constitutes an architectural limitation, Levin told Hacker News in an email response that, “I would say that the problem is that those defenses (sandbox and security guardrails) were designed to prevent malicious actions of the LLM, for example as a result of quick injection. And users may think that these defenses will protect against this vulnerability (or limit the blast radius), but they Don’t do this.
Steinberger said in the advisory that “the vulnerability can be exploited even on instances configured to listen only on loopback, as the victim’s browser initiates the outbound connection.”
“This affects any Moltbot deployment where the user has authenticated to the control UI. The attacker gains operator-level access to the gateway API, enabling arbitrary configuration changes and code execution on the gateway host. The attack also works when the gateway connects to the loopback because the victim’s browser acts as a bridge.”
