CVE-2026-25253 Explained: The One-Click RCE That Compromises Your OpenClaw Gateway

TL;DR

CVE-2026-25253 is a CVSS 8.8 vulnerability in OpenClaw’s Control UI that allows one-click remote code execution. If you’re running any version before v2026.1.29, you must upgrade immediately. Even localhost-bound instances are vulnerable.

What Is CVE-2026-25253?

Discovered by Depthfirst researchers and publicly disclosed on February 1, 2026, this vulnerability exploits a trust flaw in OpenClaw’s Control UI:

1. The Control UI accepts a gatewayUrl parameter from the URL query string without validation
2. When a user visits a crafted link, the UI automatically initiates a WebSocket connection to the attacker’s server
3. The stored gateway authentication token is sent along with this connection
4. The attacker captures the token and connects back to the victim’s OpenClaw gateway
5. With the token, the attacker has full gateway control — including arbitrary command execution

Why Localhost Doesn’t Save You

A common misconception is that binding OpenClaw to 127.0.0.1 provides protection. It does not. The attack pivots through the victim’s own browser — the browser makes the outbound WebSocket connection from localhost. The gateway never needs to be internet-facing for this exploit to work.

As Conscia’s analysis explains:

“Any user who has authenticated to the Control UI and subsequently visits a malicious page or clicks a crafted link is at risk.”

Timeline

Are You Affected?

Yes, if:

• You ever ran OpenClaw version v2026.1.24-1 or earlier
• You ran any version before v2026.1.29 with auth mode “none” (the former default)

Check your version:

openclaw --version

If the output is below 2026.1.29, upgrade now.

How to Fix

1. Upgrade OpenClaw

# Update to latest
npm update -g openclaw
# or
openclaw update

Verify you’re on v2026.1.29 or later (current latest: v2026.2.19).

2. Rotate Your Gateway Token

Even after upgrading, your old token may have been exfiltrated. Rotate it:

openclaw gateway token --rotate

3. Audit for Compromise

Check your gateway logs for unexpected WebSocket connections:

# Look for connections from unknown origins
grep -i "websocket" ~/.openclaw/logs/gateway.log | grep -v "localhost"

Review recent command history for anything you didn’t execute.

4. Follow Isolation Best Practices

Microsoft’s February 19 guidance recommends:

• Do not run on personal/enterprise workstations — use a dedicated VM or container
• Enable mandatory gateway token validation (now default since v2026.1.29)
• Bind to loopback and use auth — neither alone is sufficient
• Consider network-level isolation (firewall rules, VPN)

Related Vulnerabilities

This CVE is part of a broader security crisis in the OpenClaw ecosystem this February:

• CVE-2026-25157 — Patched Jan 25 in v2026.1.25
• CVE-2026-26326 — skills.status secrets leak to operator.read clients (disclosed Feb 17)
• Cline CLI 2.3.0 supply chain attack — Malicious npm package installed OpenClaw on dev systems (Feb 17)
• Malicious “ClawdBot Agent” VS Code extension — Appeared Jan 27 on marketplace

The Bigger Picture

As Or Ben Ari wrote on Medium:

“Seemingly small trust decisions in a control plane can collapse into ‘one click → credential loss → privileged control’.”

OpenClaw gives AI agents access to your email, calendar, messaging, and shell. A compromised gateway means all of those are compromised too. The lesson: treat your OpenClaw instance like a production server, not a toy.

Further Reading

• OpenClaw Security Hardening Guide — General hardening steps
• OpenClaw VPS Deployment Guide — Secure remote deployment
• What Is OpenClaw? — Overview for newcomers
• Adversa.ai: OpenClaw Security 101 — Comprehensive external analysis
• Kaspersky: Key OpenClaw Risks — Enterprise risk perspective