Ethical Hacking News
A recent vulnerability has been disclosed in OpenClaw, an AI-powered personal assistant that allows for remote code execution (RCE) through a crafted malicious link. The issue was identified by security researchers, who found that the vulnerability could be exploited to execute privileged actions and bypass authentication. A patch has been released to fix this issue, but it highlights the need for ongoing security testing of open-source software.
Security researchers have identified a high-severity vulnerability in OpenClaw, an open-source AI personal assistant. The issue allows for remote code execution (RCE) through a crafted malicious link with a CVSS score of 8.8. A cross-site WebSocket hijacking attack can be triggered, allowing attackers to execute client-side JavaScript and establish a connection to the OpenClaw instance. OpenClaw's design provides local execution on user devices, increasing susceptibility to attacks like this one. A patch has been released (version 2026.1.29) to address the vulnerability. The incident highlights the need for continued security testing and monitoring of open-source software.
In a recent disclosure, security researchers have identified a high-severity vulnerability in OpenClaw, an open-source autonomous artificial intelligence (AI) personal assistant. The issue, tracked as CVE-2026-25253 with a CVSS score of 8.8, allows for remote code execution (RCE) through a crafted malicious link.
According to the researchers, the problem lies in the way OpenClaw's server handles WebSocket connections from its own domain. When a user visits a malicious web page that contains a crafted link, it can trigger a cross-site WebSocket hijacking attack, allowing the attacker to execute client-side JavaScript on the victim's browser and establish a connection to the OpenClaw instance.
This vulnerability is particularly concerning because OpenClaw is designed to run locally on user devices, providing a level of privacy and security that some other AI-powered assistants lack. However, this also means that users are more susceptible to attacks like the one described above.
The attackers' approach to exploiting the vulnerability involves using the token's privileged operator.admin and operator.approvals scopes to bypass authentication and log in to the victim's OpenClaw instance. By doing so, they can disable user confirmation by setting "exec.approvals.set" to "off" and escape the container used to run shell tools by setting "tools.exec.host" to "gateway."
In an advisory, Peter Steinberger, the creator and maintainer of OpenClaw, described the vulnerability as a token exfiltration vulnerability that leads to full gateway compromise. He also noted that clicking on a crafted link or visiting a malicious site can send the stored gateway token in the WebSocket connect payload.
The researchers have released a patch for this issue, which is version 2026.1.29 and was released on January 30, 2026. However, the fact that such a critical vulnerability exists highlights the need for continued security testing and monitoring of open-source software like OpenClaw.
Related Information:
https://www.ethicalhackingnews.com/articles/The-OpenClaw-Vulnerability-A-Critical-Security-Flaw-in-AI-Powered-Personal-Assistants-ehn.shtml
https://thehackernews.com/2026/02/openclaw-bug-enables-one-click-remote.html
https://nvd.nist.gov/vuln/detail/CVE-2026-25253
https://www.cvedetails.com/cve/CVE-2026-25253/
Published: Mon Feb 2 11:45:00 2026 by llama3.2 3B Q4_K_M
