OpenClaw (formerly known as Clawdbot and Moltbot) has been found to have a high-severity security vulnerability that could enable remote code execution (RCE) via a malicious link This article explores access victim openclaw. . The issue, which is tracked as CVE-2026-25253 (CVSS score: 8.8), has been addressed in version 2026.1.29 released on January 30, 2026.

According to some descriptions, it is a token exfiltration vulnerability that results in complete gateway compromise. "The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload," OpenClaw's creator and maintainer Peter Steinberger said in an advisory. "Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server.

The attacker can then connect to the victim's local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE." OpenClaw is an open-source autonomous artificial intelligence (AI) personal assistant that runs locally on user devices and integrates with a wide range of messaging platforms. Despite being first released in November 2025, the project has become extremely popular in recent weeks; as of this writing, its GitHub repository has more than 149,000 stars.

According to Steinberger, "OpenClaw is an open agent platform that runs on your machine and works from the chat apps you already use." "Unlike SaaS assistants where your data lives on someone else's servers, OpenClaw runs where you choose – laptop, homelab, or VPS. Your system. Your keys.

Your data." The vulnerability can be exploited to create a one-click RCE exploit chain that takes only milliseconds after a victim visits a single malicious web page, according to Mav Levin, the founding security researcher at depthfirst who is credited with finding it. The issue is that OpenClaw's server does not verify the WebSocket origin header, so simply clicking on the link to that webpage can initiate a cross-site WebSocket hijacking attack.

This effectively circumvents localhost network restrictions by allowing the server to accept requests from any website.

The vulnerability can be exploited by a malicious website to run client-side JavaScript on the victim's browser, which can obtain an authentication token, connect to the server via WebSocket, and use the stolen token to get around authentication and access the victim's OpenClaw instance. To make matters worse, by leveraging the token's privileged operator.admin and operator.approvals scopes, the attacker can use the API to disable user confirmation by setting "exec.approvals.set" to "off" and escape the container used to run shell tools by setting "tools.exec.host" to "gateway." "This forces the agent to run commands directly on the host machine, not inside a Docker container," Levin said.

"Finally, the attacker JavaScript executes a node.invoke request to achieve arbitrary command execution." In the advisory, Steinberger stated that "the vulnerability is exploitable even on instances configured to listen on loopback only, since the victim's browser initiates the outbound connection." "It impacts any Moltbot deployment where a user has authenticated to the Control UI.

By gaining operator-level access to the gateway API, the attacker can execute code on the gateway host and make arbitrary configuration changes. The attack works even when the gateway binds to loopback because the victim's browser acts as the bridge."