SB2026022736 - Remote code execution in OpenClaw

Description

This security bulletin contains information about 1 security vulnerability.

1) Information disclosure (CVE-ID: CVE-2026-25253)

The vulnerability allows a remote attacker to compromise the affected system.

The vulnerability exists due to the Control UI obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection to the URL without prompting the user. A remote attacker can trick the victim into visiting a specially crafted website and obtain a security token that can be used later to manipulate the application via the established WebSocket connection.

Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.

Remediation

Install update from vendor's website.

References

• https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
• https://ethiack.com/news/blog/one-click-rce-moltbot
• https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq
• https://x.com/0xacb/status/2016913750557651228