CVE-2026-25253: 1-Click RCE in OpenClaw Through Auth Token Exfiltration

CVE-2026-25253 is a critical security vulnerability classified as an Incorrect Resource Transfer Between Spheres (CWE-669) with a high severity score (CVSS 8.8). It affects OpenClaw (formerly known as Clawdbot and Moltbot), a popular open-source AI agent.

The vulnerability is a logic flaw that allows an attacker to steal a user’s authentication token and achieve Remote Code Execution (RCE) with a single click. The core issue lies in how the application processes URL parameters: prior to the fix, the application would accept a gatewayUrl via a query string and automatically establish a WebSocket connection to that URL without user confirmation, transmitting the user’s authentication credentials in the process.

Details of CVE-2026-25253 (SOCRadar Vulnerability Intelligence)

How Is This Vulnerability Exploited in Real Life?

Researchers describe the exploitation of this vulnerability as a “1-Click RCE Kill Chain” that occurs in milliseconds. The attack bypasses local network protections (like firewalls) by using the victim’s own browser as a bridge.

The exploit follows this specific sequence:

1. First Step: A victim visits a malicious webpage or clicks a crafted link. The application blindly accepts the gatewayUrl parameter.
2. Token Leak: The application immediately triggers a connection to the attacker’s server. During this handshake, it automatically bundles the user’s authToken and sends it to the attacker.
3. The Pivot (Cross-Site WebSocket Hijacking): Once the attacker has the token, they perform Cross-Site WebSocket Hijacking (CSWSH). Because the OpenClaw WebSocket server fails to validate the origin header, the attacker’s JavaScript can connect to the victim’s local instance (e.g., ws://localhost:18789) from the malicious website.
4. Sandbox Escape: Using the stolen token, the attacker uses the API to dismantle security guardrails:
   • Disable Prompts: They send an exec.approvals.set request to turn off user confirmation (ask: “off”).
   • Escape Container: They send a config.patch request to force commands to run on the host machine rather than inside a Docker container.
5. Execution: Finally, the attacker sends a node.invoke request to execute arbitrary shell commands on the victim’s computer, effectively taking full control.

Which Versions Are Affected?

Security advisories explicitly list versions up to v2026.1.24-1 as vulnerable.

Who Is Actually at Risk From This Issue?

Any user running an unpatched version of OpenClaw is at high risk, particularly:

• Users Running it Locally: Even users running OpenClaw on localhost (not exposed to the internet) are vulnerable. The exploit uses the victim’s browser to pivot into the local network, bypassing the requirement for the instance to be internet-facing.

• Users with “God Mode” Permissions: Users who have granted their AI agent broad system access (shell, files, keys) face the highest impact, as the attacker inherits these permissions immediately.

• Users Visiting Untrusted Sites: Since the attack requires user interaction (clicking a link or visiting a page), users who browse the web while their agent is active are the primary targets.

What Should They Do Now?

If you are running OpenClaw, you must take the following steps immediately to secure your system.

1. Apply the Patch Immediately

• Upgrade to version v2026.1.24-1 or later.

2. Rotate Credentials

• Rotate the Gateway Token: Generate a new authToken for your OpenClaw instance.
• Rotate Connected Secrets: You should rotate API keys for connected services.

3. Incident Response and Auditing

• Check Logs: Monitor your authentication logs for suspicious WebSocket connections or unexpected token usage.
• Review Permissions: Check for loose file permissions or insecure configurations.