cbcvebase.
CVE-2026-25253
published 2026-02-01

CVE-2026-25253: OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without…

PriorityP279high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
8.02%
94.0th percentile
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.

Affected

2 ranges
VendorProductVersion rangeFixed in
clawdbotclawdbot>= 0 < 2026.1.292026.1.29
openclawopenclaw< 2026.1.292026.1.29

Detection & IOCsextracted from sources · hover to see the quote

domainapi.openclaw.com
domainclawhub.ai
port18792/TCP
otherAMOS credential stealer
  • Detect CVE-2026-25253 exploitation by monitoring for WebSocket connections initiated by the OpenClaw Control UI that include a user-controlled 'gatewayUrl' parameter sourced from the query string, potentially transmitting stored gateway authentication tokens to attacker-controlled endpoints.
  • Detect active OpenClaw runtime by identifying node.exe listening on TCP port 18792; this indicates the agent is running and potentially reachable for exploitation.
  • Monitor for download or execution of OpenClaw installer file types (.ps1, .sh, Docker files) from messaging apps such as Telegram, Slack, Discord, or WhatsApp, which are used as delivery vectors.
  • Alert on OpenClaw skill files making outbound connections to C2 servers or using evasive channels such as SSH tunnels or DNS-over-HTTPS (DoH) tunnels.
  • Identify CVE-2026-25253 one-click RCE exploitation attempts: malicious links that steal authentication tokens and trigger remote code execution without requiring skill installation.
  • Detect authentication bypass attempts against OpenClaw gateway when deployed behind reverse proxies (e.g., Nginx): monitor for external connections exploiting localhost trust logic to bypass login protections.
  • Hunt for sensitive data exposure: OpenClaw stores authentication tokens (API keys), user profiles, and memories in plaintext Markdown and JSON files on disk; monitor for unauthorized access to these file types in OpenClaw installation directories.
  • ·Skills (plugins) execute with full agent and system permissions by default; no sandboxing is enforced unless explicitly enabled, allowing malicious skills unrestricted access to credentials, files, and network resources.
  • ·Many users misconfigure OpenClaw, leaving the Control web interface publicly accessible on the internet without password protection.
  • ·The ClawHub skills marketplace has no formal review, signing, or capability declaration required for publication, enabling trivial supply chain poisoning.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
vulncheck8.8HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.