GHSA-r2c6-8jc8-g32w: Duplicate Advisory: 1-Click RCE via Authentication Token Exfiltration From gatewayUrl

February 2, 2026

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-g8p2-7wf7-98mq. This link is maintained to preserve external references.

Original Description

OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.

References

depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
github.com/advisories/GHSA-r2c6-8jc8-g32w
github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq
nvd.nist.gov/vuln/detail/CVE-2026-25253
openclaw.ai/blog

Code Behaviors & Features

Detect and mitigate GHSA-r2c6-8jc8-g32w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →