CVE-2026-25253
published 2026-02-01CVE-2026-25253: OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without…
PriorityP279high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.02%
94.0th percentile
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| clawdbot | clawdbot | >= 0 < 2026.1.29 | 2026.1.29 |
| openclaw | openclaw | < 2026.1.29 | 2026.1.29 |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect CVE-2026-25253 exploitation by monitoring for WebSocket connections initiated by the OpenClaw Control UI that include a user-controlled 'gatewayUrl' parameter sourced from the query string, potentially transmitting stored gateway authentication tokens to attacker-controlled endpoints. ↗
- →Detect active OpenClaw runtime by identifying node.exe listening on TCP port 18792; this indicates the agent is running and potentially reachable for exploitation. ↗
- →Monitor for download or execution of OpenClaw installer file types (.ps1, .sh, Docker files) from messaging apps such as Telegram, Slack, Discord, or WhatsApp, which are used as delivery vectors. ↗
- →Alert on OpenClaw skill files making outbound connections to C2 servers or using evasive channels such as SSH tunnels or DNS-over-HTTPS (DoH) tunnels. ↗
- →Identify CVE-2026-25253 one-click RCE exploitation attempts: malicious links that steal authentication tokens and trigger remote code execution without requiring skill installation. ↗
- →Detect authentication bypass attempts against OpenClaw gateway when deployed behind reverse proxies (e.g., Nginx): monitor for external connections exploiting localhost trust logic to bypass login protections. ↗
- →Hunt for sensitive data exposure: OpenClaw stores authentication tokens (API keys), user profiles, and memories in plaintext Markdown and JSON files on disk; monitor for unauthorized access to these file types in OpenClaw installation directories. ↗
- ·Skills (plugins) execute with full agent and system permissions by default; no sandboxing is enforced unless explicitly enabled, allowing malicious skills unrestricted access to credentials, files, and network resources. ↗
- ·Many users misconfigure OpenClaw, leaving the Control web interface publicly accessible on the internet without password protection. ↗
- ·The ClawHub skills marketplace has no formal review, signing, or capability declaration required for publication, enabling trivial supply chain poisoning. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
osv·2026-02-02
CVE-2026-25253 [HIGH] OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
## Summary
The Control UI trusts `gatewayUrl` from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload.
Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim's local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE. This vulnerability is exploitable even on instances configured to listen on loopback only, since the victim's browser initiates the outbound connection.
## Details
The root cause is the lack of validation for `gatewayUrl` combined with auto‑connect behavior on page
GHSA
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
ghsa·2026-02-02
CVE-2026-25253 [HIGH] CWE-668 OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
OpenClaw/Clawdbot has 1-Click RCE via Authentication Token Exfiltration From gatewayUrl
## Summary
The Control UI trusts `gatewayUrl` from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload.
Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim's local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE. This vulnerability is exploitable even on instances configured to listen on loopback only, since the victim's browser initiates the outbound connection.
## Details
The root cause is the lack of validation for `gatewayUrl` combined with auto‑connect behavior on page
VulnCheck
openclaw openclaw Incorrect Resource Transfer Between Spheres
vulncheck·2026·CVSS 8.8
CVE-2026-25253 [HIGH] openclaw openclaw Incorrect Resource Transfer Between Spheres
openclaw openclaw Incorrect Resource Transfer Between Spheres
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.
Affected: openclaw openclaw
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://flare.io/learn/resources/blog/widespread-openclaw-exploitation
Exploit PoC: https://vulncheck.com/xdb/c903b2fa7c05; https://vulncheck.com/xdb/6fe9b6100431
No detection rules found.
No public exploits indexed.
Securelist
Exploits and vulnerabilities in Q1 2026
blogs_securelist·2026-05-07·CVSS 7.8
CVE-2026-21519 [HIGH] Exploits and vulnerabilities in Q1 2026
Alexander Kolesnikov
Table of Contents
Statistics on registered vulnerabilities
Exploitation statistics
Windows and Linux vulnerability exploitation
Most common published exploits
Vulnerability exploitation in APT attacks
C2 frameworks
Notable vulnerabilities
CVE-2026-21519: Desktop Window Manager vulnerability
RegPwn (CVE-2026-21533): a system settings access control vulnerability
CVE-2026-21514: a Microsoft Office vulnerability
Clawdbot (CVE-2026-25253): an OpenClaw vulnerability
CVE-2026-34070: LangChain framework vulnerability
CVE-2026-22812: an OpenCode vulnerability
Conclusion and advice
Authors
Alexander Kolesnikov
During Q1 2026, the exploit kits leveraged by threat actors to target user systems expanded once again, incorporating new exploits for the Microsoft Off
Qualys
Anatomy of an Autonomous AI Agent Risk: How Qualys ETM Connects the Dots on OpenClaw
blogs_qualys·2026-04-13
Anatomy of an Autonomous AI Agent Risk: How Qualys ETM Connects the Dots on OpenClaw
## Table of Contents
How the Investigation Begins
The First Signal Qualys VMDR
A Second, Independent Confirmation: Microsoft Defender Vulnerability Management
From Software Inventory to Active Attack Surface with Qualys EASM
Why Identity Context Changes the Severity?
The OpenClaw Lesson: Why Visibility Alone is No Longer Enough
The Power of Contextual Correlation
Frequently Asked Questions (FAQs)
Contributors
## Executive Summary
An unauthorized OpenClaw AI agent was detected disguised as a routine package on a Windows Server host. The situation escalated into a priority incident when Qualys ETM analyzed and correlated four distinct signals. While none of these signals alone warranted urgent action, the combination of endpoint, exposure, and identity telemetry indicated an activ
Zscaler
Taming Agentic Threats: Zscaler Visibility and Guardrails to Mitigate OpenClaw | Zscaler
blogs_zscaler·2026-03-11
Taming Agentic Threats: Zscaler Visibility and Guardrails to Mitigate OpenClaw | Zscaler
Provide users with seamless, secure, reliable access to applications and data.
Build and run secure cloud apps, enable zero trust cloud connectivity, and protect workloads from data center to cloud.
Provide zero trust connectivity for IoT and OT devices and secure remote access to OT systems.
Provide zero trust site-to-site connectivity and reliable access to B2B apps for partners.
Industry Report
Zscaler: A Leader in the 2025 Gartner® Magic Quadrant™ for Security Service Edge (SSE)
USE CASES
INDUSTRY & MARKET SOLUTIONS
PARTNERS
TECHNOLOGY PARTNERS
Resource Center
Events & Trainings
Security Research & Services
Tools
Community & Support
CXO REVOLUTIONARIES
Amplifying the voices of real-world digital and zero trust pioneers
Discover how it began and where it’s going
Meet o
Bleepingcomputer
The OpenClaw Hype: Analysis of Chatter from Open-Source Deep and Dark Web
blogs_bleepingcomputer·2026-02-25
The OpenClaw Hype: Analysis of Chatter from Open-Source Deep and Dark Web
## The OpenClaw Hype: Analysis of Chatter from Open-Source Deep and Dark Web
## Flare
OpenClaw started as a side project of a developer who wanted to make his (and others) life easier with AI assistance. Clean mailbox, control schedule, organize thoughts and hear some music while his bot is doing all the dirty jobs for him.
With vibe coding Peter Steinberger developed OpenClaw. Kudus for that. But since then apart from changing its name twice it created a massive chatter around two topics. The AI hype and its cyber security implications.
This project has rapidly moved from a niche automation framework discussed in developer communities to a topic appearing across security research feeds, Telegram channels, forums, and underground-adjacent chatter. Alongside it, names like ClawDBot and
Tenable
Clawdbot: How to Mitigate Agentic AI Security Vulnerabilities
blogs_tenable·2026-02-03
Clawdbot: How to Mitigate Agentic AI Security Vulnerabilities
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Wiz
CVE-2026-25253 Impact, Exploitability, and Mitigation Steps | Wiz
blogs_wiz·CVSS 8.8
CVE-2026-25253 [HIGH] CVE-2026-25253 Impact, Exploitability, and Mitigation Steps | Wiz
## CVE-2026-25253 :
Homebrew vulnerability analysis and mitigation
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.
Source : NVD
## 8.8
Score
Published February 1, 2026
Severity HIGH
CNA Score 8.8
Affected Technologies
Homebrew
OpenClaw (formerly Moltbot or Clawdbot)
Has Public Exploit Yes
Has CISA KEV Exploit No
CISA KEV Release Date N/A
CISA KEV Due Date N/A
Exploitation Probability Percentile (EPSS) 23.6
Exploitation Probability (EPSS) 0.1
Affected packages and libraries
openclaw
clawdbot
Sources
NVD
npm Severity HIGH Has Fix Added at: Feb 03, 2026
Homebrew Severity HIGH Has Fix Added at: Feb 15, 2026
## Get a CVE risk ass
arXiv
Uncovering Security Threats and Architecting Defenses in Autonomous Agents: A Case Study of OpenClaw
arxiv_fulltext·2026-03-13
Uncovering Security Threats and Architecting Defenses in Autonomous Agents: A Case Study of OpenClaw
[
Uncovering Security Threats and Architecting Defenses in Autonomous Agents: A Case Study of OpenClaw
equal*
icmlauthorlist
Zonghao Yingbuaa
Xiao Yangbuaa
Siyang Wuzgc
Yumeng Songbuaa
Yang Qubuaa
Hainan Lihf
Tianlin Libuaa
Jiakai Wangzgc
Aishan Liubuaa
Xianglong Liubuaa,zgc
icmlauthorlist
buaaState Key Laboratory of Complex & Critical Software Environment, Beihang University
zgcZhongguancun Laboratory
hfHefei Comprehensive National Science Center Institute of Dataspace
[email protected]
Machine Learning, ICML
0.3in
]
## Abstract
The rapid evolution of Large Language Models (LLMs) into autonomous, tool-calling agents has fundamentally altered the cybersecurity landscape. Frameworks like OpenClaw grant AI systems operating-system-level permissions and the autonomy to execute compl
arXiv
Security Considerations for Artificial Intelligence Agents
arxiv_fulltext·2026-03-12
Security Considerations for Artificial Intelligence Agents
## Abstract
This article, a lightly adapted version of Perplexity's response to NIST/CAISI Request for Information 2025-0035 , details our observations and recommendations concerning the security of frontier AI agents. These insights are informed by Perplexity's experience operating general-purpose agentic systems used by millions of users and thousands of enterprises in both controlled and open-world environments . Agent architectures change core assumptions around code-data separation, authority boundaries, and execution predictability, creating new confidentiality, integrity, and availability failure modes. We map principal attack surfaces across tools, connectors, hosting boundaries, and multi-agent coordination, with particular emphasis on indirect prompt injection, confused-deputy b
arXiv
A Survey for Deep Reinforcement Learning Based Network Intrusion Detection
arxiv_fulltext·2026-03-02
A Survey for Deep Reinforcement Learning Based Network Intrusion Detection
A Survey for Deep Reinforcement Learning Based Network Intrusion Detection
Wanrong Yang [width=1em,height=1em]orcid.png,
Alberto Acuto [width=1em,height=1em]orcid.png,
Yihang Zhou [width=1em,height=1em]orcid.png,
Dominik Wojtczak [width=1em,height=1em]orcid.png
This work was supported by the Engineering and Physical Sciences Research Council (EPSRC), through grants number EP/X017796/1 and EP/X03688X/1. We would like to express our sincere appreciation for research support from Centre for Doctoral Training (CDT) in Distributed Algorithm, University of Liverpool. Specifically, many thanks for all the help from Prof Simon Maskell, Kelli Cassidy, Elizabeth Gannon and Big hypotheses group. Thanks to Qingyuan Wu for kind and practical suggestions on the manuscript. In the end, we would like to
arXiv
Formal Analysis and Supply Chain Security for Agentic AI Skills
arxiv_fulltext·2026-02-27·CVSS 8.8
CVE-2026-25253 [HIGH] Formal Analysis and Supply Chain Security for Agentic AI Skills
## Introduction
On January 27, 2026, security researchers at Ethiack disclosed
CVE-2026-25253 , a remote code execution
vulnerability in the OpenClaw agent skill runtime---the first Common
Vulnerabilities and Exposures identifier assigned to an agentic AI
system. Within days, the ClawHavoc campaign
exploited this and related weaknesses to infiltrate over 1,200
malicious skills into the OpenClaw marketplace, deploying the AMOS
credential stealer to developer workstations. Concurrently, MalTool
benchmarked 6,487 malicious tools targeting LLM-based
agents , demonstrating that VirusTotal fails to
detect the majority of agent-targeted malware. A large-scale empirical
analysis of 42,447 agent skills found that 26.1% exhibit at least one
security vulnerability .
These incidents are not isolated
https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keyshttps://ethiack.com/news/blog/one-click-rce-moltbothttps://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mqhttps://openclaw.ai/bloghttps://x.com/0xacb/status/2016913750557651228https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
2026-02-01
Published
Exploited in the wild