OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
A critical remote code execution (RCE) vulnerability (CVE-2026-25253) affects OpenClaw, an open-source AI personal assistant running locally on user devices. The flaw allows attackers to execute arbitrary code by tricking users into clicking a crafted malicious link, which exploits improper validation of the gatewayUrl parameter and WebSocket origin headers. This leads to token exfiltration and unauthorized access to the victim's OpenClaw gateway API with operator-level privileges. Attackers can disable security controls, escape container sandboxes, and execute commands directly on the host machine. The vulnerability is exploitable even if the gateway listens only on localhost, as the victim's browser acts as a bridge. No known exploits are currently in the wild, but the vulnerability is severe due to ease of exploitation and potential for full system compromise. A patch was released in version 2026. 1. 29 on January 30, 2026. European organizations using OpenClaw, especially in tech-forward countries, face significant risk if unpatched.
AI Analysis
Technical Summary
OpenClaw, formerly known as Clawdbot and Moltbot, is an open-source autonomous AI personal assistant that runs locally on user devices and integrates with various messaging platforms. A critical vulnerability identified as CVE-2026-25253 with a CVSS score of 8.8 enables remote code execution through a crafted malicious link. The root cause lies in the Control UI trusting the gatewayUrl parameter from the query string without validation and automatically connecting on page load, sending the stored gateway token in the WebSocket connection payload. The server also fails to validate the WebSocket origin header, allowing cross-site WebSocket hijacking. When a victim clicks a malicious link or visits a crafted webpage, attacker-controlled JavaScript running in the victim's browser steals the authentication token and establishes a WebSocket connection to the local OpenClaw gateway. Using the stolen token, the attacker gains operator-level access to the gateway API, enabling arbitrary configuration changes and disabling security features such as user confirmation prompts and sandboxing. This allows the attacker to escape container restrictions and execute arbitrary commands directly on the host machine, achieving one-click RCE. The vulnerability is exploitable even if the gateway binds only to localhost because the victim's browser initiates the outbound connection, effectively bypassing network restrictions. The flaw was discovered by security researcher Mav Levin and patched in OpenClaw version 2026.1.29 released on January 30, 2026. Despite the patch, the rapid adoption of OpenClaw since its November 2025 release and its use in sensitive environments make this vulnerability highly critical. The architectural design of OpenClaw's safety features, intended to mitigate malicious LLM prompt injections, does not protect against this exploit, increasing the blast radius of the attack.
Potential Impact
For European organizations, this vulnerability poses a severe risk of full system compromise on devices running OpenClaw. Since OpenClaw operates locally and integrates with messaging platforms, attackers can leverage this flaw to gain persistent, privileged access to user environments, potentially leading to data theft, espionage, or disruption of critical services. The ability to disable security controls and escape container sandboxes increases the likelihood of lateral movement and deeper network infiltration. Organizations relying on OpenClaw for automation or AI assistance in sensitive sectors such as finance, healthcare, or government could face significant confidentiality, integrity, and availability impacts. The exploit requires only user interaction via a single click, making phishing campaigns highly effective. Additionally, the vulnerability bypasses localhost restrictions, increasing the attack surface even in well-segmented networks. The lack of known active exploits currently provides a window for mitigation, but the rapid spread of OpenClaw adoption in Europe elevates the urgency. Failure to patch could lead to widespread compromise, data breaches, and operational disruptions.
Mitigation Recommendations
European organizations should immediately upgrade all OpenClaw instances to version 2026.1.29 or later, which addresses this vulnerability. Network administrators should implement strict Content Security Policies (CSP) and browser security settings to limit the execution of untrusted scripts and prevent malicious WebSocket connections. Employ endpoint detection and response (EDR) solutions to monitor for suspicious WebSocket activity and unauthorized configuration changes in OpenClaw. Disable or restrict OpenClaw usage on critical systems until patched. Conduct user awareness training focused on phishing and malicious link risks, emphasizing the danger of clicking unknown URLs. Consider isolating OpenClaw instances within hardened containers or virtual machines with strict network egress controls to limit potential damage. Review and audit OpenClaw configurations to ensure minimal privileges and enable any available security features. Monitor threat intelligence feeds for emerging exploit attempts and indicators of compromise related to this vulnerability. Finally, engage with OpenClaw developers and community to stay informed about further security updates or mitigations.
Affected Countries
Germany, France, United Kingdom, Netherlands, Sweden, Finland, Denmark, Belgium, Switzerland, Ireland
OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
Description
A critical remote code execution (RCE) vulnerability (CVE-2026-25253) affects OpenClaw, an open-source AI personal assistant running locally on user devices. The flaw allows attackers to execute arbitrary code by tricking users into clicking a crafted malicious link, which exploits improper validation of the gatewayUrl parameter and WebSocket origin headers. This leads to token exfiltration and unauthorized access to the victim's OpenClaw gateway API with operator-level privileges. Attackers can disable security controls, escape container sandboxes, and execute commands directly on the host machine. The vulnerability is exploitable even if the gateway listens only on localhost, as the victim's browser acts as a bridge. No known exploits are currently in the wild, but the vulnerability is severe due to ease of exploitation and potential for full system compromise. A patch was released in version 2026. 1. 29 on January 30, 2026. European organizations using OpenClaw, especially in tech-forward countries, face significant risk if unpatched.
AI-Powered Analysis
Technical Analysis
OpenClaw, formerly known as Clawdbot and Moltbot, is an open-source autonomous AI personal assistant that runs locally on user devices and integrates with various messaging platforms. A critical vulnerability identified as CVE-2026-25253 with a CVSS score of 8.8 enables remote code execution through a crafted malicious link. The root cause lies in the Control UI trusting the gatewayUrl parameter from the query string without validation and automatically connecting on page load, sending the stored gateway token in the WebSocket connection payload. The server also fails to validate the WebSocket origin header, allowing cross-site WebSocket hijacking. When a victim clicks a malicious link or visits a crafted webpage, attacker-controlled JavaScript running in the victim's browser steals the authentication token and establishes a WebSocket connection to the local OpenClaw gateway. Using the stolen token, the attacker gains operator-level access to the gateway API, enabling arbitrary configuration changes and disabling security features such as user confirmation prompts and sandboxing. This allows the attacker to escape container restrictions and execute arbitrary commands directly on the host machine, achieving one-click RCE. The vulnerability is exploitable even if the gateway binds only to localhost because the victim's browser initiates the outbound connection, effectively bypassing network restrictions. The flaw was discovered by security researcher Mav Levin and patched in OpenClaw version 2026.1.29 released on January 30, 2026. Despite the patch, the rapid adoption of OpenClaw since its November 2025 release and its use in sensitive environments make this vulnerability highly critical. The architectural design of OpenClaw's safety features, intended to mitigate malicious LLM prompt injections, does not protect against this exploit, increasing the blast radius of the attack.
Potential Impact
For European organizations, this vulnerability poses a severe risk of full system compromise on devices running OpenClaw. Since OpenClaw operates locally and integrates with messaging platforms, attackers can leverage this flaw to gain persistent, privileged access to user environments, potentially leading to data theft, espionage, or disruption of critical services. The ability to disable security controls and escape container sandboxes increases the likelihood of lateral movement and deeper network infiltration. Organizations relying on OpenClaw for automation or AI assistance in sensitive sectors such as finance, healthcare, or government could face significant confidentiality, integrity, and availability impacts. The exploit requires only user interaction via a single click, making phishing campaigns highly effective. Additionally, the vulnerability bypasses localhost restrictions, increasing the attack surface even in well-segmented networks. The lack of known active exploits currently provides a window for mitigation, but the rapid spread of OpenClaw adoption in Europe elevates the urgency. Failure to patch could lead to widespread compromise, data breaches, and operational disruptions.
Mitigation Recommendations
European organizations should immediately upgrade all OpenClaw instances to version 2026.1.29 or later, which addresses this vulnerability. Network administrators should implement strict Content Security Policies (CSP) and browser security settings to limit the execution of untrusted scripts and prevent malicious WebSocket connections. Employ endpoint detection and response (EDR) solutions to monitor for suspicious WebSocket activity and unauthorized configuration changes in OpenClaw. Disable or restrict OpenClaw usage on critical systems until patched. Conduct user awareness training focused on phishing and malicious link risks, emphasizing the danger of clicking unknown URLs. Consider isolating OpenClaw instances within hardened containers or virtual machines with strict network egress controls to limit potential damage. Review and audit OpenClaw configurations to ensure minimal privileges and enable any available security features. Monitor threat intelligence feeds for emerging exploit attempts and indicators of compromise related to this vulnerability. Finally, engage with OpenClaw developers and community to stay informed about further security updates or mitigations.
Technical Details
- Article Source
- {"url":"https://thehackernews.com/2026/02/openclaw-bug-enables-one-click-remote.html","fetched":true,"fetchedAt":"2026-02-03T08:48:30.915Z","wordCount":1190}
Threat ID: 6981b662f9fa50a62fb23215
Added to database: 2/3/2026, 8:48:34 AM
Last enriched: 2/3/2026, 8:49:15 AM
Last updated: 2/3/2026, 10:04:31 AM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
Notepad++ Official Update Mechanism Hijacked to Deliver Malware to Select Users
LowCVE-2026-24465: Stack-based buffer overflow in ELECOM CO.,LTD. WAB-S733IW2-PD
CriticalNotepad++ Hosting Breach Attributed to China-Linked Lotus Blossom Hacking Group
MediumCVE-2026-24936: CWE-20 Improper Input Validation in ASUSTOR ADM
CriticalCVE-2026-25142: CWE-94: Improper Control of Generation of Code ('Code Injection') in nyariv SandboxJS
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.