A high-severity security flaw in OpenClaw allowed attackers to trigger remote code execution (RCE) with a single click. The issue, tracked as CVE-2026-25253, affected versions released before v2026.1.29 and exposed users to full gateway compromise if they clicked a crafted link.
Before the fix, OpenClaw’s Control UI trusted a gatewayUrl value supplied through a URL query string. The app then auto-connected to that address and sent the stored authentication token during the WebSocket handshake—without asking the user to confirm. An attacker could host a malicious page that injects a rogue gatewayUrl, receive the token, and immediately connect back to the victim’s local gateway.
See also: How to Install OpenClaw on Windows Using WSL2 (Official Local Setup Guide)
Because the gateway did not validate WebSocket origin headers, the attacker could bypass localhost protections using the victim’s browser as a bridge. With the stolen token, the attacker gained operator-level access and executed privileged actions, resulting in one-click RCE.
Why even local setups were exposed
The attack did not require the gateway to be internet-facing. The victim’s browser initiated the outbound connection, which meant instances bound to loopback only were still exploitable. Any authenticated Control UI session on a vulnerable version was at risk.
Official fix and security hardening
OpenClaw shipped a fix in v2026.1.29 that removes the unsafe auto-connect behavior and adds explicit confirmation for new gateway URLs. The release also strengthens warnings around gateway exposure and authentication defaults, ensuring the gateway now fails closed unless proper auth is present.
What users should do now
OpenClaw maintainers recommend immediate action:
- Upgrade to v2026.1.29 or later to apply the patch.
- Rotate gateway tokens and any connected API keys.
- Audit logs for unexpected WebSocket connections or config changes.
- Avoid clicking unknown links while the Control UI is authenticated.
OpenClaw runs with high privileges by design, integrating directly with local tools, files, and messaging platforms. That power demands strict validation at every trust boundary. This incident highlights how small UI assumptions—like auto-connecting to a URL parameter—can cascade into critical compromise when combined with token handling and WebSocket behaviors.
If you use OpenClaw, update now, rotate credentials, and review your gateway exposure settings to prevent token-based attacks going forward.
