A critical vulnerability in OpenClaw (formerly Clawdbot/Moltbot), the popular open-source AI agent, allows attackers to achieve remote code execution with a single click. The flaw, tracked as CVE-2026-25253 (CVSS 8.8), was patched in version 2026.1.29 on January 30, 2026.
Vulnerability overview
| Attribute | Value |
|---|
| CVE | CVE-2026-25253 |
| GHSA | GHSA-r2c6-8jc8-g32w |
| CVSS | 8.8 (High) |
| Type | Cross-Site WebSocket Hijacking (CSWSH) |
| Attack vector | Malicious link |
| User interaction | Single click |
| Fixed version | 2026.1.29 |
| Discoverer | Mav Levin (depthfirst) |
Technical analysis
The vulnerability chains multiple weaknesses into a one-click RCE exploit.
Vulnerability components
| Component | File | Issue |
|---|
| Settings | app-settings.ts | Trusted gatewayUrl query parameter without validation |
| Lifecycle | app-lifecycle.ts | Immediately triggered connectGateway() with attacker URL |
| Gateway | gateway.ts | Included auth token in handshake to malicious server |
Root cause: Missing origin validation
| Browser behavior | Server responsibility |
|---|
| Same-Origin Policy enforced for HTTP | Server must validate WebSocket origins |
| Not enforced for WebSocket connections | OpenClaw failed to validate origin header |
| Browser allows cross-origin WebSocket | Server accepted connections from any website |
“OpenClaw’s WebSocket server fails to validate the WebSocket origin header, accepting requests from any site.”
High-privilege token scopes
Stolen tokens carry dangerous permissions:
| Scope | Capability |
|---|
operator.admin | Full administrative access |
operator.approvals | Disable safety features |
With these privileges, attackers don’t need sandbox escapes—they can simply disable safety features via the API.
The kill chain
Mav Levin at depthfirst demonstrated the attack executes in milliseconds:
| Phase | Action | Time |
|---|
| 1 | Victim clicks malicious link | 0ms |
| 2 | Browser connects to attacker’s WebSocket server | ~10ms |
| 3 | OpenClaw sends authentication token automatically | ~20ms |
| 4 | Attacker uses token to connect to victim’s OpenClaw | ~50ms |
| 5 | Attacker sends exec.approvals.set with ask: "off" | ~100ms |
| 6 | Attacker executes arbitrary commands on victim’s system | ~150ms |
Total time from click to RCE: milliseconds.
Localhost bypass
Critically, localhost deployments are equally vulnerable. The victim’s browser becomes the bridge into their local network:
| Factor | Implication |
|---|
| Connection originates from legitimate browser | Bypasses localhost network restrictions |
| Browser has local network access | CSWSH bridges external attacker to local services |
| No firewall protection | Attack doesn’t traverse network boundary directly |
“The vulnerability is exploitable even on instances configured to listen on loopback only, since the victim’s browser initiates the outbound connection.”
Exposure scale
Censys scanning data (January 31, 2026)
| Metric | Value |
|---|
| Publicly exposed instances | 21,000+ |
| Alibaba Cloud hosting | ~30% |
| Default port | TCP 18789 |
| Authentication beyond gateway token | Often absent |
Who is affected
| Deployment type | Vulnerable? |
|---|
| Internet-exposed instances | Yes |
| Localhost-only instances | Yes (via CSWSH) |
| VPN-protected instances | Yes (if user visits malicious site) |
| Any authenticated Control UI user | Yes |
National advisory
The Belgium Centre for Cybersecurity (CCB) issued a national advisory:
“The vulnerability allows 1-click remote code execution when processing attacker-controlled content.”
Affected versions
| Version | Status |
|---|
| All versions up to v2026.1.24-1 | Vulnerable |
| v2026.1.29+ | Fixed |
The fix
Version 2026.1.29 adds a gateway URL confirmation modal:
| Before fix | After fix |
|---|
| Automatic connection to any gatewayUrl | User must confirm unfamiliar gateway URLs |
| Silent token transmission | Modal warns before connecting |
| No origin validation | Origin validation added |
| Priority | Action |
|---|
| Critical | Upgrade to v2026.1.29 or later |
| Critical | Rotate gateway tokens (generate new authToken) |
| Critical | Rotate API keys for all connected services |
| High | Audit authentication logs |
Generating new gateway token
Rotate the authToken for your OpenClaw instance immediately—assume any token from before the patch is compromised if users accessed the Control UI.
Defense in depth
| Measure | Purpose |
|---|
| Don’t expose OpenClaw to internet | Reduce attack surface |
| Use SSH tunnels or VPN for remote access | Authenticated transport |
| Network-level ACLs on port 18789 | Limit connection sources |
| Monitor for unexpected origins | Detect exploitation attempts |
Detection
Indicators to monitor
| Indicator | Meaning |
|---|
| WebSocket connections from unfamiliar origins | Potential CSWSH |
exec.approvals.set API calls | Safety feature manipulation |
ask: "off" parameter | Prompt suppression |
| Unexpected command execution after browsing | Post-exploitation |
| New or modified gateway tokens | Credential theft |
Log review
| Check | Location |
|---|
| WebSocket connection origins | Gateway logs |
| API calls to exec.approvals | Control plane logs |
| Command execution history | System logs |
AI agent security context
CVE-2026-25253 is separate from the ongoing malicious ClawHub skills campaign, but both highlight security challenges in the emerging AI agent ecosystem.
Why AI agents are high-risk targets
| Factor | Risk |
|---|
| System-level access | Agents execute commands on host |
| Autonomous operation | Reduced human oversight |
| Trust assumptions | Users grant broad permissions |
| Rapid adoption | Security practices lag features |
AI agent attack surface
| Component | Risk |
|---|
| Control UI | This vulnerability (CSWSH) |
| Skill marketplace | Malicious skills (separate issue) |
| LLM integrations | Prompt injection |
| Tool execution | Command injection |
Recommendations
For OpenClaw users
| Priority | Action |
|---|
| Critical | Update to v2026.1.29 immediately |
| Critical | Rotate all credentials |
| High | Audit for signs of compromise |
| Ongoing | Monitor security advisories |
For AI agent deployers
| Priority | Action |
|---|
| High | Inventory all AI agent deployments |
| High | Review network exposure |
| High | Implement authentication beyond default |
| Ongoing | Track AI agent security research |
For security teams
| Priority | Action |
|---|
| High | Add AI agents to vulnerability management |
| High | Monitor for CSWSH patterns |
| Medium | Develop AI agent security policies |
| Ongoing | Threat model AI agent deployments |
Context
CVE-2026-25253 demonstrates that AI agent security requires the same rigor as traditional application security—and potentially more, given the system-level access these tools often require.
The trivial exploitation requirements (single click), the bypass of localhost restrictions, and the availability of 21,000+ exposed instances make this an emergency patch situation. As autonomous AI assistants gain system-level access, vulnerabilities enabling unauthorized control become critical-severity issues regardless of CVSS scores.
Users running OpenClaw should treat this as an emergency patch, particularly given that the attack works even against “secure” localhost-only deployments.
