ClawDBot, a well-known npm package, has a high-severity authentication bypass vulnerability that allows attackers to execute code remotely via a single malicious link This article explores security concern clawdbot. . The vulnerability results from both automatic connection behavior that exposes authentication tokens to unauthorized actors and inadequate validation of the gateway URL parameter.

Overview of Vulnerabilities The vulnerability affects ClawDBot versions up to v2026.1.28 and is known as GHSA-g8p2-7wf7-98mq. The Control UI accepts a gatewayUrl parameter directly from the query string without validation and automatically initiates a WebSocket connection on page load. A crucial exposure vector for token exfiltration is created during this connection process when the stored gateway authentication token is sent to the designated endpoint in the connection payload.

By creating a malicious URL or hosting a phishing website that deceives users into clicking links with a controlled gatewayUrl parameter pointing to attacker infrastructure, an attacker can take advantage of this. When a victim visits the link while authenticated to the ClawDBot Control UI, their gateway token is automatically exfiltrated to the attacker’s server without any user confirmation or security warning. The attacker obtains operator-level access to the victim's gateway API after the token is compromised.

This enables arbitrary modifications to gateway configuration, including sandbox settings and tool policies, ultimately leading to full gateway compromise and remote code execution on the host system. Token theft can be initiated with just one click on a malicious link, requiring very little user interaction throughout the attack chain.

The vulnerability is particularly dangerous because it remains exploitable even on instances configured to listen exclusively on localhost. The network isolation of the gateway offers no protection because the outbound connection to the attacker-controlled server is started by the victim's browser. This implies that if users with ClawDBot access interact with external links, even instances that are internally deployed or air-gapped are vulnerable.

The vendor has addressed this issue in ClawDBot v2026.1.29 by implementing mandatory user confirmation for new gateway URLs in the UI. Before establishing connections to new gateway instances, this validation requires explicit user consent and stops automatic token transmission to unverified endpoints. It is recommended that users update to the patched version right away. Companies should keep an eye out for unauthorized configuration changes and audit gateway access logs for questionable token activity.

During the vulnerability window, security teams should examine WebSocket connection logs for any unexpected connections to external infrastructure. Additionally, implementing network-level controls such as egress filtering and restricting outbound connections from ClawDBot Control UI instances can provide defense-in-depth protection. Organizations using ClawDBot in high-security environments should consider deploying the package behind proxy servers with URL validation capabilities.

This vulnerability highlights the risks associated with automatic authentication token transmission during connection initialization as well as the crucial significance of URL parameter validation. This is a high-priority security concern for ClawDBot deployments because of the one-click exploitation vector and operator-level gateway access. To avoid possible gateway infrastructure compromise and unauthorized code execution on host systems, prompt patching and thorough security audits are crucial.