CVE-2026-25253: the vulnerability of OpenClaw that allows to steal tokens and take control of the gateway with a single click

A serious vulnerability has put at risk users of OpenClaw, the personal artificial intelligence assistant that runs locally and that in a few months won a very active community. The failure, recorded as CVE-2026-25253 and with a high CVSS score, allows an attacker to steal the authentication token from a session and use it to take control of the local "gateway," which can be translated into remote code execution with a single click. For the official CVE file see the entry in the NVD database: https: / / nvd.nist.gov / vuln / detail / CVE-2026-25253.

The source of the problem is how the OpenClaw control interface handles the WebSocket connection to the local gateway. According to the security note published by the project itself, the interface accepts without validating a parameter used to build the gateway URL and also tries to connect automatically when loading. This behavior means that, if an authenticated user visits a specially designed link or a malicious page, the browser can send the token stored on the payload of the WebSocket connection to servers controlled by the attacker. You can read the technical explanation in the repository security notice: https: / / github.com / openclaw / openclaw / security / advices / GHSA-g8p2-7wf7-98mq.

The researcher who reported the failure, Mav Levin from depthfirst, showed how that removal of token easily links other malicious actions: with a token that has operator privileges you can disable the execution confirmations, change the configuration so that the shell tools run on the host instead of inside a container, and finally invoke a command that ends up running on the local machine. Levin details the process in his technical analysis, where he shows that it is enough for the victim to open a page for the explosion to shoot in milliseconds: https: / / depthfirst.com / post / 1-click-rce-to-steal-your-moltbot-data-and-keys.

A particularly worrying aspect is that the failure works even when the service is configured to listen only in loopback (localhost). The reason is that the user's browser starts the outgoing connection to the gateway; that behavior sorters the usual local network restrictions and makes the browser a bridge between the malicious page and the protected service. The project creator, Peter Steinberger, explains this vector and why it is critical to correct it as soon as possible: https: / / openclaw.ai / blog / introng-openclaw and the main repository contain context on design and implementation: https: / / github.com / openclaw / openclaw.

Project leaders published a patch that corrects vulnerability and recommend an immediate update to the corrected version, released on January 30, 2026: v2026.1.29. Beyond applying the official update, it is prudent for administrators and users to revoke any exposed token, restart the affected services and review the records for unusual activity. It is also appropriate to limit the exposure of the gateway to trusted environments and to consider temporary measures such as avoiding the use of the control interface from browsers if not strictly necessary.

From the point of view of software security, this impact highlights two clear lessons: to always validate the origin and parameters used by WebSocket connections, and not to rely on automatic connections that send credentials or tokens without explicit user verification. Implement original header checks, avoid sending accessible tokens from JavaScript and require interactive confirmations for privileged actions are practices that mitigate this type of risk.

OpenClaw - formerly known as Clawdbot or Moltbot - was presented in November 2025 as an alternative that runs IA agents on the user's device and quickly accumulated a large base of users and stars in GitHub. This growth explains why vulnerability has had a rapid impact: projects with local deployments that handle sensitive credentials require additional security controls precisely for the implementation model they defend.

If you use OpenClaw, the priority is to update to the version 2026.1.29 as soon as possible and follow the official instructions of the project. For more technical details and official patches see the repository's notice and the entry of the investigator who discovered the failure: advisory and Depthfirst analysis. Maintaining the software up-to-date and applying minimum privilege and source validation principles significantly reduces the likelihood that such incidents will happen again.