"The Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload,"
"Clicking a crafted link or visiting a malicious site can send the token to an attacker-controlled server. The attacker can then connect to the victim's local gateway, modify config (sandbox, tool policies), and invoke privileged actions, achieving 1-click RCE."
"OpenClaw is an open agent platform that runs on your machine and works from the chat apps you already use,"
"Unlike SaaS assistants where your data lives on someone else's servers, OpenClaw runs where you choose - laptop, homelab, or VPS. Your infrastructure. Your keys. Your data."
OpenClaw contained a high-severity token-exfiltration flaw (CVE-2026-25253, CVSS 8.8) that allowed attackers to obtain stored gateway tokens via a crafted URL. The Control UI accepted gatewayUrl from the query string without validation and auto-connected on load, sending the token in the WebSocket connect payload. Clicking a malicious link or visiting a page could send that token to an attacker-controlled server, enabling the attacker to connect to the victim's local gateway, alter configuration and policies, and perform privileged actions leading to one-click remote code execution. The issue was patched in version 2026.1.29 on January 30, 2026.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]