A critical security vulnerability has been discovered in the open-source AI assistant OpenClaw that could allow attackers to execute malicious commands on a victim’s system simply by tricking them into clicking a crafted link.
The flaw, tracked as CVE-2026-25253, carries a CVSS severity score of 8.8, indicating a high-risk threat capable of enabling full system compromise.
How the Vulnerability Works
Security researchers found that OpenClaw’s Control UI automatically trusts a parameter called gatewayUrl supplied through a URL query string. When a user visits a malicious link, the system may automatically connect to a remote server and transmit a stored authentication token.
According to project creator Peter Steinberger, this behavior allows attackers to intercept the gateway token used to control the local OpenClaw instance.
Once the token is captured, the attacker can connect to the victim’s AI agent gateway and gain privileged control over the system.
One-Click Attack Chain
The vulnerability enables what researchers describe as a one-click remote code execution (RCE) exploit. The attack occurs in several steps:
- A victim clicks or visits a malicious webpage containing crafted code.
- The page retrieves the OpenClaw authentication token via browser-based scripts.
- The attacker establishes a WebSocket connection with the victim’s AI gateway.
- Using the stolen token, the attacker bypasses authentication and gains administrative privileges.
- The attacker modifies configuration settings and runs arbitrary commands on the host machine.
The flaw exists partly because the OpenClaw server fails to validate the WebSocket origin header, allowing requests from any website to interact with the local gateway service.
Bypassing Safety Controls
The vulnerability also allows attackers to disable security safeguards designed to limit AI agent behavior.
Researcher Mav Levin explained that an attacker could modify settings to bypass approval prompts and force OpenClaw to run commands directly on the host device rather than inside a sandbox container.
This is done by altering configuration parameters such as:
- Disabling command approval checks
- Changing execution settings from containerized environments to host execution
Once these changes are applied, the attacker can run system-level commands on the victim’s computer.
Loopback Protection Does Not Prevent the Attack
Even systems configured to run OpenClaw locally on loopback addresses (localhost) remain vulnerable. Because the attack originates through the victim’s browser, the browser effectively acts as a bridge between the malicious website and the local OpenClaw gateway.
This bypass allows attackers to interact with local services that would normally be inaccessible from the internet.
Patch Released to Fix the Issue
The vulnerability has been fixed in OpenClaw version 2026.1.29, released on January 30, 2026. Users are strongly advised to update immediately to avoid potential exploitation.
Since its launch in late 2025, OpenClaw has grown rapidly in popularity, with its repository on GitHub attracting more than 149,000 stars from developers.
The platform allows users to run an autonomous AI assistant locally on their own devices, integrating with messaging apps and performing automated tasks.
Security Recommendations
To reduce exposure to the vulnerability, experts recommend that OpenClaw users:
- Upgrade to the latest patched version immediately
- Avoid clicking suspicious links while logged into the Control UI
- Restrict access to the OpenClaw gateway interface
- Monitor system activity for unauthorized configuration changes
As AI agents increasingly gain system-level access to automate tasks, cybersecurity experts warn that securing these platforms is becoming a critical priority for both individuals and organizations.
