OPENCLAW , also known as Moltbot and Clawdbot, is a self-hosted AI assistant that can autonomously run terminal commands, manage file systems and orchestrate workflows. Researchers at security firm DepthFirst found a vulnerability, tracked as CVE-2026-25253, that could allow an attacker to steal a user’s authentication token and connect to the victim’s OpenClaw instance.
The issue was patched in recent days with the release of version 2026.1.29, following a token exfiltration flow that could lead to full gateway compromise. An attack only requires tricking the target into visiting a malicious website, where JavaScript in the browser steals the token and sends it back to the attacker, who can then use it to access the gateway API and execute arbitrary commands.
The advisory notes that the attacker gains operator‑level access to the gateway API, enabling arbitrary config changes and code execution on the gateway host. Written by Eduard Kovacs, SecurityWeek reports the vulnerability under the headline Vulnerability Allows Hackers to Hijack OpenClaw AI Assistant on 3 February 2026.