#VU123334 Information disclosure in OpenClaw - CVE-2026-25253
Published: February 27, 2026
Vulnerability identifier: #VU123334
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2026-25253
CWE-ID: CWE-200
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
OpenClaw
OpenClaw
Software vendor:
OpenClaw
OpenClaw
Description
The vulnerability allows a remote attacker to compromise the affected system.
The vulnerability exists due to the Control UI obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection to the URL without prompting the user. A remote attacker can trick the victim into visiting a specially crafted website and obtain a security token that can be used later to manipulate the application via the established WebSocket connection.
Successful exploitation of the vulnerability may allow an attacker to compromise the affected system.
Remediation
Install updates from vendor's website.