A high-severity security flaw in OpenClaw (formerly Clawdbot and Moltbot) could allow remote code execution through a crafted malicious link, with the issue tracked as CVE-2026-25253 (CVSS 8.8). The vulnerability has been fixed in version 2026.1.29, released on 30 January 2026, and is described as a token exfiltration flaw that leads to full gateway compromise.
The advisory explains that the Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload. A malicious page can exfiltrate the token, connect to the victim’s local gateway, and use privileged scopes to disable user confirmations and escape the container to achieve arbitrary command execution, effectively enabling 1-click RCE.
OpenClaw is a local AI assistant that runs on users’ devices and integrates with various messaging platforms, with its GitHub repository having attracted substantial interest since its November 2025 release. According to OpenClaw's creator and maintainer Peter Steinberger, these defenses were not designed to protect against prompt injection and do not limit the blast radius in this scenario.