"The security hole, tracked as CVE-2026-25253, was patched in recent days with the release of version 2026.1.29. "This is a token exfiltration vulnerability that leads to full gateway compromise," the AI tool's developers explained in an advisory. "It impacts any Moltbot deployment where a user has authenticated to the Control UI. The attacker gains operator-level access to the gateway API, enabling arbitrary config changes and code execution on the gateway host.""
"The attacker's site is designed to execute JavaScript in the victim's browser to obtain an OpenClaw authentication token and send it back to the attacker. The attacker's site also executes code to establish a WebSocket connection to the local host, with authentication enabled using the stolen token. The attacker can then disable sandboxing, along with user confirmation for the execution of dangerous commands."
OpenClaw, previously Clawdbot and Moltbot, is an open-source self-hosted AI agent that can autonomously execute terminal commands, manage files, and orchestrate workflows across messaging apps. Researchers at DepthFirst found a token-exfiltration vulnerability (CVE-2026-25253) allowing remote attackers to obtain a user's authentication token by tricking the user into visiting a malicious website. The malicious site runs JavaScript to steal the token, opens a WebSocket to the local host using the stolen token, and can disable sandboxing and user confirmations. An attacker with the token gains operator-level gateway API access, enabling arbitrary configuration changes and remote code execution. Developers released version 2026.1.29 to patch the flaw.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]