{"id":183826,"date":"2026-02-02T11:28:00","date_gmt":"2026-02-02T16:28:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/02\/openclaw-bug-enables-one-click-remote-code-execution-via-malicious-link\/"},"modified":"2026-02-02T11:55:07","modified_gmt":"2026-02-02T16:55:07","slug":"openclaw-bug-enables-one-click-remote-code-execution-via-malicious-link","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/02\/02\/openclaw-bug-enables-one-click-remote-code-execution-via-malicious-link\/","title":{"rendered":"OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link"},"content":{"rendered":"<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/openclaw-bug-enables-one-click-remote.html\">OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link<\/a><\/p>\n<p><a href=\"https:\/\/thehackernews.com\/2026\/02\/openclaw-bug-enables-one-click-remote.html\">https:\/\/thehackernews.com\/2026\/02\/openclaw-bug-enables-one-click-remote.html<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-02-02 11:28:00<\/a><\/p>\n<p>Source Domain: <a href=\"thehackernews.com\">thehackernews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\n\ue804Ravie Lakshmanan\ue802Feb 02, 2026Vulnerability \/ Artificial Intelligence<br \/>\nA high-severity security flaw has been disclosed in OpenClaw (formerly referred to as Clawdbot and Moltbot) that could allow remote code execution (RCE) through a crafted malicious link.<br \/>\nThe issue, which is tracked as CVE-2026-25253 (CVSS score: 8.8), has been addressed in version 2026.1.29 released on January 30, 2026. It has been described as a token exfiltration vulnerability that leads to full gateway compromise.<br \/>\n&#8220;The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload,&#8221; OpenClaw&#8217;s creator and maintainer Peter Steinberger said in an advisory.<\/p>\n<p>&#8220;Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim&#8217;s local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE.&#8221;<\/p>\n<p>OpenClaw is an open-source autonomous artificial intelligence (AI) personal assistant that runs locally on user devices and integrates with a wide range of messaging platforms. Although initially released in November 2025, the project has gained rapid popularity in recent weeks, with its GitHub repository crossing 149,000 stars as of writing.<br \/>\n&#8220;OpenClaw is an open agent platform that runs on your machine and works from the chat apps you already use,&#8221; Steinberger said. &#8220;Unlike SaaS assistants where your data lives on someone else&#8217;s servers, OpenClaw runs where you choose \u2013 laptop, homelab, or VPS. Your infrastructure. Your keys. Your data.&#8221;<br \/>\nMav Levin, founding security researcher at depthfirst who is credited with discovering the shortcoming, said it can be exploited to create a one-click RCE exploit chain that takes only milliseconds after a victim visits a single malicious web page.<br \/>\nThe problem is that clicking on the link to that web page is enough to trigger a cross-site WebSocket hijacking attack because OpenClaw&#8217;s server doesn&#8217;t validate the WebSocket origin header. This causes the server to accept requests from any website, effectively getting around localhost network restrictions.<br \/>\nA malicious web page can take advantage of the issue to execute client-side JavaScript on the victim&#8217;s browser that can retrieve an authentication token, establish a WebSocket connection to the server, and use the stolen token to bypass authentication and log in to the victim&#8217;s OpenClaw instance.<br \/>\nTo make matters worse, by leveraging the token&#8217;s privileged operator.admin and operator.approvals scopes, the attacker can use the API to disable user confirmation by setting &#8220;exec.approvals.set&#8221; to &#8220;off&#8221; and escape the container used to run shell tools by setting &#8220;tools.exec.host&#8221; to &#8220;gateway.&#8221;<\/p>\n<p>&#8220;This forces the agent to run commands directly on the host machine, not inside a Docker container,&#8221; Levin said. &#8220;Finally, to achieve arbitrary command execution, the attacker JavaScript executes a node.invoke request.&#8221;<br \/>\nSteinberger noted in the advisory that &#8220;the vulnerability is exploitable even on instances configured to listen on loopback only, since the victim&#8217;s browser initiates the outbound connection.&#8221;<br \/>\n&#8220;It impacts any Moltbot deployment where a user has authenticated to the Control UI. The attacker gains operator-level access to the gateway API, enabling arbitrary config changes and code execution on the gateway host. The attack works even when the gateway binds to loopback because the victim&#8217;s browser acts as the bridge.&#8221;<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link https:\/\/thehackernews.com\/2026\/02\/openclaw-bug-enables-one-click-remote.html Publish Date: 2026-02-02 11:28:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":183827,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEi4fXSwhiW0Eb2lGzmNue91AjKZ-c420l6qWRP0mQkVZWlxxe_Iq0MkDlUYw7GrvFfd2UqhpLGsSYc9H3-o33nWGXEUX_OPcTWpzn3lQNvZTVyzEx1CJw2r2UQMfkFdNiHJF4_x8mLAkOy7st09Siko8G8KTlPyNkVNeLDf2xTKVgCFLnumaeT4v7Q_f27J\/s1700-e365\/openclaw.jpg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[26,20,31,27],"class_list":["post-183826","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-ai","tag-artificial-intelligence","tag-exploit","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183826"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=183826"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183826\/revisions"}],"predecessor-version":[{"id":183828,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/183826\/revisions\/183828"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/183827"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=183826"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=183826"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=183826"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}