Full Report
Researchers disclose rapid exploit chain that let attackers run code via a single malicious web page Security issues continue to pervade the OpenClaw ecosystem, formerly known as ClawdBot then Moltbot, as multiple projects patch bot takeover and remote code execution (RCE) exploits.…
Analysis Summary
# Vulnerability: One-Click Remote Code Execution in OpenClaw via WebSocket Origin Validation Bypass
## CVE Details
- CVE ID: N/A (Specific CVE not provided in the text)
- CVSS Score: N/A (Severity inferred from RCE description)
- CWE: CWE-200 (Information Exposure) / CWE-776 (Improper Neutralization of Data within a Web-Based Component) - *Inferred based on the nature of the attack (Origin Header validation failure leading to XSWJ).*
## Affected Systems
- Products: OpenClaw ecosystem projects (formerly ClawdBot/Moltbot)
- Versions: Vulnerable versions (Specific version ranges are not provided, only that they are affected prior to the patch.)
- Configurations: Users running vulnerable versions interacting with a malicious web page.
## Vulnerability Description
The flaw exists in the OpenClaw server's handling of the WebSocket origin header, which lacks proper validation. This vulnerability allows an attacker hosted on a malicious web page to trigger a Cross-Site WebSocket Hijacking (XSWJ) attack against a logged-in, vulnerable OpenClaw user. The attack executes client-side JavaScript to:
1. Retrieve the victim's authentication token.
2. Establish a WebSocket connection using that token for authentication.
3. Disable sandboxing and bypass pre-execution prompts through JavaScript execution.
4. Execute an `node.invoke` request on the victim's browser, leading to Remote Code Execution (RCE).
## Exploitation
- Status: PoC available (Researcher disclosed details of the exploit chain)
- Complexity: Low ("milliseconds" execution, "single malicious web page" visit required)
- Attack Vector: Network (Requires the victim to visit a malicious URL)
## Impact
- Confidentiality: High (Ability to steal authentication tokens and potentially access sensitive data handled by the client application)
- Integrity: High (Ability to execute arbitrary code/commands (`node.invoke`) on the client interacting with the server)
- Availability: Medium (Potential for denial of service or compromise of the user's session/account)
## Remediation
### Patches
- The OpenClaw team has patched the bug in short order.
- Relevant Advisory: [github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq]
### Workarounds
- Since the vulnerability relies on visiting a single malicious web page, users might temporarily mitigate risk by limiting web browsing or connection to untrusted third-party sites until fully patched.
## Detection
- **Indicators of Compromise (IOCs):** Unusual/unintended execution of commands via known OpenClaw client APIs (e.g., `node.invoke`). Monitoring WebSocket traffic for unexpected origins or credential usage.
- **Detection Methods and Tools:** Security mechanisms should focus on validating the `Origin` header on the server-side for all WebSocket connection attempts. Browser security extensions should enforce strict Content Security Policies (CSP) and sandbox restrictions.
## References
- Vendor Advisories: [github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq]
- Researcher Details: hxxps://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
- Social Confirmation: hxxps://x.com/theonejvo/status/2018139657394151524
---
*Note: The article also details a separate database exposure issue in the OpenClaw-adjacent service Moltbook (exposed API keys on the database), which has also been confirmed fixed.*