A critical security vulnerability, CVE-2026-25253, has been discovered in the popular open-source AI assistant OpenClaw, formerly known as Clawdbot and Moltbot. This high-severity flaw, with a CVSS score of 8.8, could permit remote code execution (RCE) through a deceptively simple malicious link. The issue has been addressed by developers with the release of version 2026.1.29 on January 30, 2026. The vulnerability, described as a token exfiltration issue, can lead to a complete compromise of the OpenClaw gateway.
OpenClaw is an AI-powered personal assistant that operates locally on user devices and integrates with various messaging platforms. Despite its relatively recent release in November 2025, the project has seen a meteoric rise in popularity, with its GitHub repository attracting over 149,000 stars. Its core appeal lies in its decentralized nature, offering users greater control over their data compared to cloud-based assistants, as stated by its creator, Peter Steinberger.
OpenClaw Vulnerability Allows Remote Code Execution
The security flaw stems from how the OpenClaw Control UI handles the `gatewayUrl` parameter found in the query string. According to Peter Steinberger, the UI trusts this URL without proper validation and automatically attempts to connect. During this connection process, it transmits the stored gateway token within the WebSocket payload. This mechanism creates an exploitable pathway for attackers.
Mav Levin, a security researcher at depthfirst credited with uncovering the vulnerability, explained that clicking a specifically crafted link or visiting a malicious website can redirect this sensitive token to a server controlled by an attacker. This allows the attacker to establish a connection to the victim’s local gateway. Once connected, they can alter crucial configurations, such as sandbox settings and tool policies, and execute privileged actions, ultimately achieving a one-click remote code execution.
The exploitation chain is remarkably efficient, taking mere milliseconds after a victim accesses a malicious web page. This is due to OpenClaw’s server not validating the WebSocket origin header. Consequently, the server accepts requests from any website, effectively circumventing local network restrictions. Malicious JavaScript embedded on a compromised or attacker-controlled webpage can then leverage this to access an authentication token from the victim’s browser.
With the stolen token, the attacker can establish a WebSocket connection to the OpenClaw server and bypass authentication to gain access to the victim’s OpenClaw instance. This elevated access is particularly concerning due to the token’s possessing `operator.admin` and `operator.approvals` scopes. Attackers can exploit these permissions via the API to disable user confirmation prompts by setting `exec.approvals.set` to “off.”
Furthermore, attackers can manipulate the `tools.exec.host` setting to “gateway.” This crucial step forces the agent to execute commands directly on the host machine rather than within the confines of a Docker container. As Levin noted, this allows for arbitrary command execution through a `node.invoke` request initiated by the attacker’s JavaScript code. This bypasses the intended safety features designed to protect against prompt injection attacks from language models.
Even instances configured to listen only on the loopback interface are vulnerable. Steinberger clarified that this is because the victim’s browser initiates the outbound connection, acting as the bridge for the malicious traffic. This means any OpenClaw deployment where a user has authenticated to the Control UI is susceptible. The attacker gains operator-level access to the gateway API, enabling unauthorized configuration changes and code execution on the gateway host.
Implications and Future Outlook
The discovery underscores the ongoing challenges in securing complex AI systems, especially those that operate directly on user infrastructure. While OpenClaw’s decentralized architecture provides significant benefits, it also presents unique security considerations. The vulnerability highlights the importance of robust input validation and origin verification in all network communications, particularly when dealing with sensitive authentication tokens.
The next steps involve ensuring all OpenClaw users update to the patched version 2026.1.29 to mitigate the risk of exploitation. Developers will likely continue to review and enhance security protocols for future releases, potentially focusing on more granular access controls and advanced threat detection mechanisms within the AI agent’s operational framework. The incident serves as a reminder for the broader AI development community to prioritize security throughout the development lifecycle of autonomous agents and intelligent systems.