Full Report
A high-severity security flaw has been disclosed in OpenClaw (formerly referred to as Clawdbot and Moltbot) that could allow remote code execution (RCE) through a crafted malicious link. The issue, which is tracked as CVE-2026-25253 (CVSS score: 8.8), has been addressed in version 2026.1.29 released on January 30, 2026. It has been described as a token exfiltration vulnerability that leads to
Analysis Summary
# Vulnerability: Remote Code Execution in OpenClaw via Unvalidated Link Parameter
## CVE Details
- CVE ID: CVE-2026-25253
- CVSS Score: 8.8 (High)
- CWE: Insufficiently Neutralized of Special Elements --> Improper Neutralization of Special Elements used in an Embedded Sequence (Injection) (Inferred from description)
## Affected Systems
- Products: OpenClaw (formerly Clawdbot and Moltbot)
- Versions: Prior to 2026.1.29
- Configurations: Any deployment where a user has authenticated to the Control UI. Affected even if the gateway binds only to the loopback address.
## Vulnerability Description
This high-severity flaw is a token exfiltration vulnerability that can lead to full gateway compromise and Remote Code Execution (RCE). The OpenClaw Control UI trusts the `gatewayUrl` parameter found in the query string without validation and attempts an auto-connection upon loading. This action sends the stored gateway token within the WebSocket connect payload to the server specified in the malicious link.
The exploit is possible because OpenClaw's server does not validate the WebSocket origin header, allowing requests from any website (Cross-Site WebSocket Hijacking). An attacker gains operator-level access to the gateway API using the stolen token, allowing them to:
1. Disable user confirmation by setting `exec.approvals.set` to "off".
2. Set `tools.exec.host` to "gateway," forcing tool execution directly on the host machine (escaping the sandbox/container).
3. Execute arbitrary commands via a `node.invoke` request.
## Exploitation
- Status: PoC available (Researcher confirmed successful exploitation chain)
- Complexity: Low (Described as a "1-click RCE" achieved by visiting a malicious web page).
- Attack Vector: Network (Triggers via a remote, crafted link).
## Impact
- Confidentiality: High (Token exfiltration and access to sensitive operational data).
- Integrity: High (Arbitrary configuration changes, policy modification, and command execution).
- Availability: High (Potential system compromise leading to service disruption).
## Remediation
### Patches
- Version **2026.1.29** released on January 30, 2026, addresses this vulnerability by validating the `gatewayUrl` parameter.
### Workarounds
- None explicitly listed, as the fix addresses core trust issues related to URL parameters and WebSocket origin validation. Immediate patching is strongly advised.
## Detection
- **Indicators of Compromise (IOCs):** Look for unusual outbound WebSocket connections originating from a victim's browser session pointing to an unknown/attacker-controlled server while the OpenClaw Control UI is loading or connected. Monitor for rapid configuration changes in the gateway API, specifically disabling approval mechanisms (`exec.approvals.set` changes) or modifications to tool execution hosts (`tools.exec.host`).
- **Detection Methods and Tools:** Network monitoring tools capable of inspecting WebSocket traffic headers (specifically the Origin header) for unexpected values during connections initiated by the OpenClaw client UI. API logging for rapid administrative changes.
## References
- Vendor Advisory: [https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq](https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq)
- Researcher Report: [https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys](https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys)
- Project Repository: [https://github.com/openclaw/openclaw](https://github.com/openclaw/openclaw)