What Did Security Researchers Discover in the OpenClaw Vulnerability?
In late January 2026, security researchers discovered a critical flaw in OpenClaw (CVE-2026-25253), a popular open-source AI personal assistant trusted by over 100,000 developers.
The vulnerability allows a remote attacker to fully compromise a victim’s machine with a single mouse click just by getting them to visit a malicious webpage.
The flaw stems from the OpenClaw Control UI blindly trusting a URL parameter (gatewayUrl) and automatically connecting to it, leaking the user’s authentication token to an attacker in the process.
By the time public disclosure occurred on February 3, 2026, over 40,000 OpenClaw instances had been found exposed on the internet, with 63% assessed as vulnerable to remote exploitation.
OpenClaw Vulnerability Explained: Technical Breakdown of the Attack
What Is OpenClaw?
OpenClaw is a self-hosted AI assistant that runs on your computer and can take actions on your behalf like reading messages, managing email, browsing the web, and running terminal commands.
It connects to apps like WhatsApp, Slack, Telegram, and Discord. Because it can run system commands, it often holds very broad permissions (sometimes called “god mode”).
What Is the Core Security Flaw in OpenClaw?
The OpenClaw Control UI had a flaw: it took the gatewayUrl from the browser URL without checking if it was safe. It would automatically connect to the address and hand over the user’s login token without asking for permission.
How Does the OpenClaw One-Click RCE Attack Work?
- The attacker sends a crafted malicious link (via email, chat, social media).
- The victim clicks it, and their browser opens a webpage controlled by the attacker.
- The malicious page contains JavaScript that silently triggers OpenClaw’s Control UI.
- The app automatically connects and sends the user’s authentication token to the attacker’s server.
- The attacker uses the stolen token to open a direct WebSocket connection to the victim’s local OpenClaw instance bypassing all firewall and localhost protections.
- Using admin-level API access, the attacker turns off user confirmation prompts (exec.approvals.set: off) and escapes any container sandbox.
- The attacker runs arbitrary commands on the victim’s machine, achieving complete Remote Code Execution (RCE) in milliseconds.
Why Localhost Wasn’t Safe
- Many users assumed running OpenClaw on localhost (their own machine, not the internet) kept them safe.
- This was wrong. Browsers enforce cross-origin rules for regular HTTP traffic, but NOT for WebSocket connections.
- OpenClaw’s server never checked where WebSocket requests were coming from, so any website could connect to it through the victim’s own browser.
Risks of the OpenClaw RCE Vulnerability
Technical Risks
- Full Remote Code Execution – Attackers run any command on your machine.
- Credential Theft – OpenClaw integrates with email, messaging, and cloud services; all linked credentials are at risk.
- Sandbox Escape – Even containerized setups can be bypassed via the API.
- Persistent Backdoor – Attackers can install malware or maintain persistent access.
- Prompt Injection Risk – Separately, attackers can also plant hidden instructions in emails or websites that trick your AI agent into taking harmful actions.
Business / Organizational Risks
- Data Breach – Sensitive files, emails, and communications exposed.
- Enterprise Lateral Movement -If OpenClaw is connected to corporate systems, an attacker can pivot deeper into the network.
- Scale: 40,000+ exposed instances globally, 12,000+ confirmed as exploitable via RCE.
- Malicious Skills Supply Chain – Over 800 malicious “skills” (plugins) were found in the OpenClaw marketplace (ClawHub), compounding the threat.
How to Fix the OpenClaw Vulnerability:
Immediate Actions to take
- Update OpenClaw to version 2026.1.29 or later immediately. All prior versions are vulnerable.
- Rotate all authentication tokens and credentials if you were running a vulnerable version while visiting untrusted websites.
- Audit installed Skills/plugins from ClawHub remove any unrecognized or suspicious ones. Over 800 malicious skills have been identified.
Hardening and Prevention Best Practices
- Do not browse untrusted websites in the same browser session where OpenClaw’s Control UI is open. Use a separate browser profile.
- Enable authentication on your OpenClaw instance. Many exposed instances run without any authentication.
- Restrict OpenClaw’s permissions to the minimum avoid granting full “god mode” shell access unless necessary.
- Block public internet access to OpenClaw ports (default: 18789) using a firewall. Instances should not be exposed to the internet unless required.
- Monitor OpenClaw logs for unexpected configuration changes, unusual command executions, or unauthorized API calls.
- Review API keys linked to third-party services inside OpenClaw’s control panel rotate any that may have been exposed.
Best Practices to Secure AI Assistants Like OpenClaw
As organizations adopt AI assistants, security must evolve alongside innovation.
Key recommendations
- Apply least privilege access to AI agents
- Monitor AI-driven actions in real time
- Implement threat detection and response mechanisms
- Regularly audit integrations and plugins
For organizations scaling AI securely, consider implementing managed detection and response solutions.