CVE-2026-25253: OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl

February 2, 2026

The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload.

Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim’s local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE. This vulnerability is exploitable even on instances configured to listen on loopback only, since the victim’s browser initiates the outbound connection.

References

depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
github.com/advisories/GHSA-g8p2-7wf7-98mq
github.com/openclaw/openclaw
github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq
nvd.nist.gov/vuln/detail/CVE-2026-25253
openclaw.ai/blog

Code Behaviors & Features

Detect and mitigate CVE-2026-25253 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →