CVE Advisory CVSS 8.8

CVE-2026-25253: One-Click RCE

Critical remote code execution vulnerability allowing token exfiltration and full gateway compromise. Control UI accepts gatewayUrl from query strings without validation, enabling cross-site WebSocket hijacking. Even localhost-only instances are vulnerable.

Overview

CVE-2026-25253 is a critical remote code execution vulnerability in OpenClaw that enables attackers to steal authentication tokens and gain full control over a victim's OpenClaw gateway through a one-click attack. Discovered by DepthFirst security researchers, this vulnerability affects all versions prior to 2026.1.29.

Technical Details

The vulnerability exists in the Control UI, which automatically trusts a gatewayUrl query parameter and establishes a WebSocket connection that includes the user's stored authentication token without verifying its origin. When a victim visits a malicious webpage, the attacker's JavaScript can extract this token and connect to the victim's local OpenClaw gateway.

Attack Chain

  1. Victim visits malicious webpage containing attacker-controlled JavaScript
  2. Script constructs WebSocket URL with malicious gatewayUrl parameter
  3. Control UI auto-connects and sends stored auth token to attacker's server
  4. Attacker uses stolen token to connect to victim's local instance (ws://localhost:18789)
  5. Uses operator.admin scope to disable sandboxing (exec.approvals=off, tools.exec.host=gateway)
  6. Breaks out of Docker container and executes arbitrary commands on host

The entire attack chain completes in milliseconds, making it nearly impossible for users to detect or prevent.

Details

Type CVE Advisory
Published January 30, 2026
Severity CVSS 8.8
CVE ID CVE-2026-25253
CVSS Score 8.8
Affected Versions All OpenClaw versions prior to 2026.1.29
Fix Available Yes
Recommendations Update to v2026.1.29+. Bind to 127.0.0.1. Use DM pairing codes
Key Findings

Token exfiltration and full gateway compromise via malicious link. Control UI accepted gatewayUrl from query strings without validation. Even localhost-only instances vulnerable

#cve #rce #WebSocket #Token Theft #Patched

Related Resources

21,639 Exposed OpenClaw Instances Found

Censys security scan identified 21,639 OpenClaw instances exposed to public internet without authentication. Over 30% running on Alibaba Cloud. Represents massive attack surface with private messages, API keys, and OAuth credentials accessible. 21x growth in under one week demonstrates rapid adoption and exposure.

Official Security Documentation

Comprehensive official security documentation covering OpenClaw's threat model, access control, authentication modes, sandboxing, DM pairing policies, tool permissions, and incident response. Details the security audit command, credential storage locations, and hardening best practices.

What Security Teams Need to Know About OpenClaw

Enterprise security assessment with detection guidance. Covers visibility via Falcon platform, discovery of OpenClaw deployments, removal workflows, prompt injection threats, and runtime protection with Falcon AIDR. Demonstrates blocking prompt injection attacks and provides enterprise-scale detection/response capabilities.