ON 2 February 2026, security site coverage highlights OpenClaw (formerly Moltbot and ClawdBot), an open‑source AI utility whose rising popularity has exposed a high‑severity flaw that could let an attacker exfiltrate a target’s OpenClaw instance token and seize near‑absolute administrative control.
According to CVE Watchtower, the vulnerability stems from the UI failing to validate or sanitise query strings in the gateway URL, causing the system to transmit the stored gateway token in the WebSocket payload upon connection.
By luring a target to click a crafted link or visit a deceptive phishing portal, an attacker can siphon the token to their server and interface with the target’s local gateway, enabling unauthorised configuration changes and, ultimately, Remote Code Execution even if the instance only listens on loopback.
The report notes that many users grant OpenClaw broad permissions, including SSH credentials, which magnifies the risk of compromise, and that a patch released in v2026.1.29 and later mitigates the issue, with users on v2026.1.28 or older urged to upgrade immediately. According to the article, the broader lesson is that minimising privileges remains essential to limit potential damage from such exploits.