The disclosure of CVE-2026-25253 has raised serious concerns across the cybersecurity community after researchers confirmed that an OpenClaw bug enables one-click remote code execution through a crafted malicious link. The high-severity flaw, affecting the rapidly growing open-source AI agent platform OpenClaw (formerly Embrayage and Moltbot), allows attackers to exfiltrate authentication tokens and gain operator-level access to a victim’s local gateway simply by luring them to visit a malicious webpage.
Because OpenClaw runs locally with deep system permissions, successful exploitation can lead to full host compromise, making this vulnerability particularly dangerous despite requiring only a single click for execution.
A Critical OpenClaw Vulnerability Exposes Users to One-Click RCE
A newly disclosed OpenClaw bug enables one-click remote code execution through a specially crafted malicious link, posing a serious risk to users running the open-source AI agent locally. The flaw, tracked as CVE-2026-25253 with a CVSS score of 8.8, has been classified as high severity and was patched in version 2026.1.29 released on January 30, 2026.
The vulnerability affects OpenClaw, formerly known as Clawdbot and Moltbot, an increasingly popular autonomous AI assistant that runs on user-controlled infrastructure. Security researchers warn that exploitation requires nothing more than a victim clicking a malicious link, making the attack chain particularly dangerous.
What Is OpenClaw and Why This Vulnerability Matters?
OpenClaw is an open-source autonomous AI agent platform designed to run locally on laptops, homelabs, ou VPS environments. It integrates with common messaging platforms and allows users to execute automation tasks directly from chat applications.
Hébergement Web WordPress
À partir de 3,99 $ / mensuel
The project has grown rapidly in popularity, surpassing 149,000 GitHub stars at the time of writing, reflecting widespread adoption among developers and AI enthusiasts. According to its creator, Peter Steinberger, OpenClaw differentiates itself from SaaS AI assistants by keeping user data under full local control rather than storing it on third-party servers.
Cependant, the same local-first architecture that prioritizes privacy also increases the impact of vulnerabilities. When a critical flaw allows token theft and gateway compromise, the result can be full system-level code execution.
How the OpenClaw Bug Enables One-Click Remote Code Execution?
The vulnerability stems from improper validation in the Control UI. Specifically, the application trusts the gatewayUrl parameter from the query string without validating it and automatically connects upon loading. Durant ce processus, the stored gateway token is included in the WebSocket connection payload.
“The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload.”_ Peter Steinberger
This design flaw creates a token exfiltration vector. When a user clicks a malicious link or visits a hostile webpage, the attacker can:
- Trigger a cross-site WebSocket hijacking attack.
- Bypass origin validation because OpenClaw does not properly verify the WebSocket origin header.
- Exfiltrate the victim’s authentication token.
- Use the stolen token to authenticate as an operator-level user.
Because the server accepts WebSocket requests from any website, the attack bypasses localhost restrictions. Even instances configured to listen only on loopback interfaces remain vulnerable since the victim’s browser acts as the outbound bridge.
Serveur VPS pas cher
À partir de 2,99 $/mois
This architectural flaw is the core reason the OpenClaw bug enables one-click remote code execution with minimal user interaction.
Privilege Escalation and Container Escape Mechanics
The exploit chain becomes more severe due to the privileged scopes embedded within the stolen token. The token may include operator.admin et operator.approvals and permissions, which allow attackers to modify critical gateway configurations. Once authenticated, an attacker can:
- Disable execution approval prompts by setting
exec.approvals.setà « désactivé ». - Change the execution environment from sandboxed container to host-level by modifying
tools.exec.hostà « gateway ».
This effectively forces command execution directly on the host machine rather than within a Docker container. According to security researcher Mav Levin of depthfirst, who discovered the flaw, the final stage of exploitation involves executing a node.invoke request that allows arbitrary command execution on the host.
En termes pratiques, the OpenClaw bug enables one-click remote code execution that escapes container isolation and grants full host compromise.
Why Existing Safety Guardrails Failed?
OpenClaw includes sandboxing and safety guardrails designed primarily to mitigate malicious actions triggered by prompt injection. Cependant, those mechanisms were not designed to defend against authentication token theft and WebSocket hijacking.
Hébergement VPS Windows
Remote Access & Full Admin
Levin explained in comments to The Hacker News that these defenses focus on containing LLM behavior rather than preventing architectural-level abuse. Par conséquent, users who believed sandboxing would reduce attack impact were left exposed.
The issue is not simply a coding oversight but a deeper architectural assumption about trust boundaries between browser, gateway, and WebSocket communication.
Scope of Impact: Who Is Affected?
The vulnerability impacts any OpenClaw or Moltbot deployment where a user has authenticated to the Control UI. Once the victim is logged in, clicking a malicious link can immediately expose their gateway token. Notably:
- Loopback-only configurations are still vulnerable.
- Localhost binding does not prevent exploitation.
- The attack requires no local network access by the attacker.
- Exploitation can occur in milliseconds after visiting a malicious page.
Because the victim’s browser initiates the outbound WebSocket connection, network isolation does not mitigate the attack.
This broad exposure significantly amplifies the severity of the issue and explains the high CVSS score.
Patch and Mitigation Version 2026.1.29
The vulnerability has been fixed in OpenClaw version 2026.1.29, released January 30, 2026. Users are strongly advised to upgrade immediately.
Mitigation steps include:
- Updating to the patched version without delay.
- Rotating all previously issued gateway tokens.
- Reviewing configuration changes for unauthorized modifications.
- Verifying sandbox and execution settings.
Users running production workloads or exposing their instances via reverse proxies should perform a complete integrity audit of their systems.
Broader Security Implications for Local AI Agents
The fact that an OpenClaw bug enables one-click remote code execution highlights a broader security challenge facing local AI agent platforms. As AI assistants gain deeper system-level permissions, the attack surface expands beyond traditional web vulnerabilities.
Key concerns moving forward include:
- Proper origin validation for WebSocket connections.
- Strict separation between UI and gateway authentication flows.
- Limiting token scope and enforcing least-privilege principles.
- Designing sandbox models resilient to architectural abuse.
As autonomous AI agents become more integrated into daily workflows, vulnerabilities like CVE-2026-25253 serve as a reminder that convenience must never override secure design.
Conclusion
The disclosure of CVE-2026-25253 demonstrates how a seemingly minor validation flaw can escalate into full host compromise. Because the OpenClaw bug enables one-click remote code execution, exploitation requires minimal effort and no advanced attacker capabilities.
While the issue has been patched, its architectural implications extend beyond OpenClaw. Developers building local-first AI platforms must treat browser-to-gateway trust boundaries as critical attack vectors, especially when privileged tokens are involved.