CVE-2026-25253
OpenClaw WebSocket Token Disclosure Vulnerability
Description
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.
INFO
Published Date :
Feb. 1, 2026, 11:15 p.m.
Last Modified :
Feb. 3, 2026, 4:44 p.m.
Remotely Exploit :
Yes !
Source :
[email protected]
Affected Products
The following products are affected by CVE-2026-25253
vulnerability.
Even if cvefeed.io is aware of the exact versions of the
products
that
are
affected, the information is not represented in the table below.
No affected product recoded yet
CVSS Scores
| Score | Version | Severity | Vector | Exploitability Score | Impact Score | Source |
|---|---|---|---|---|---|---|
| CVSS 3.1 | HIGH | 8254265b-2729-46b6-b9e3-3dfca2d5bfca | ||||
| CVSS 3.1 | HIGH | [email protected] |
Solution
- Update OpenClaw to version 2026.1.29 or newer.
- Review and secure gatewayUrl configurations.
- Implement user consent for WebSocket connections.
Public PoC/Exploit Available at Github
CVE-2026-25253 has a 16 public
PoC/Exploit available at Github.
Go to the Public Exploits tab to see the list.
References to Advisories, Solutions, and Tools
Here, you will find a curated list of external links that provide in-depth
information, practical solutions, and valuable tools related to
CVE-2026-25253.
CWE - Common Weakness Enumeration
While CVE identifies
specific instances of vulnerabilities, CWE categorizes the common flaws or
weaknesses that can lead to vulnerabilities. CVE-2026-25253 is
associated with the following CWEs:
Common Attack Pattern Enumeration and Classification (CAPEC)
Common Attack Pattern Enumeration and Classification
(CAPEC)
stores attack patterns, which are descriptions of the common attributes and
approaches employed by adversaries to exploit the CVE-2026-25253
weaknesses.
We scan GitHub repositories to detect new proof-of-concept exploits. Following list is a collection of public exploits and proof-of-concepts, which have been published on GitHub (sorted by the most recently updated).
Don't get pinched. Security audit toolkit for OpenClaw deployments. 63 checks across 8 categories.
Shell Python HTML JavaScript
None
JavaScript TypeScript Shell
None
Rust
OpenClaw CVE-2026-25253 漏洞分析中文版
Proactive security monitoring for OpenClaw deployments. Detects ClawHavoc, AMOS stealer, CVE-2026-25253, memory poisoning, and supply chain attacks.
HTML JavaScript Shell
OpenClaw (formerly Clawdbot/Moltbot) 2026 Guide. Installation, Kimi/Claude benchmarks, Clawhub skills, and security alerts.
CSS TypeScript JavaScript
Snapper - Security rules manager for AI agents (OpenClaw, Claude Code, Cursor)
Dockerfile Python Mako HTML Shell CSS JavaScript
None
Secure runtime infrastructure for AI agents. Financial settlement patterns applied to agentic AI security.
JavaScript TypeScript HTML CSS
Moltbot without the hacker ecosystem
Rust
None
Python
Security sandbox for AI agents — intercepts all actions, enforces policies, logs everything. Works with OpenClaw, LangChain, any framework.
agent-security ai-security langchain llm-security mcp openclaw
JavaScript TypeScript Dockerfile PLpgSQL HTML
Cloud Foundry deployment files for OpenClaw with Tanzu GenAI integration
Shell
Security toolkit for AI agents - verify skills, harden setups, scan for exposures
JavaScript TypeScript
Coyote Security - Open Source security scanner for Github repos and AI Agents.
Shell Python
Results are limited to the first 15 repositories due to potential performance issues.
The following list is the news that have been mention
CVE-2026-25253 vulnerability anywhere in the article.
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 6
The Good | Former Google Engineer Steals AI Supercomputing Secrets for China Former Google software engineer Linwei Ding has been found guilty of economic espionage and trade secret theft after steali ... Read more
-
SentinelOne
The Good, the Bad and the Ugly in Cybersecurity – Week 6
The Good | Former Google Engineer Steals AI Supercomputing Secrets for China Former Google software engineer Linwei Ding has been found guilty of economic espionage and trade secret theft after steali ... Read more
-
The Hacker News
OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link
A high-severity security flaw has been disclosed in OpenClaw (formerly referred to as Clawdbot and Moltbot) that could allow remote code execution (RCE) through a crafted malicious link. The issue, wh ... Read more
The following table lists the changes that have been made to the
CVE-2026-25253 vulnerability over time.
Vulnerability history details can be useful for understanding the evolution of a vulnerability, and for identifying the most recent changes that may impact the vulnerability's severity, exploitability, or other characteristics.
-
CVE Modified by 134c704f-9b21-4f2e-91b3-4a467353bcc0
Feb. 03, 2026
Action Type Old Value New Value Added Reference https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys -
CVE Modified by [email protected]
Feb. 02, 2026
Action Type Old Value New Value Added Reference https://ethiack.com/news/blog/one-click-rce-moltbot Added Reference https://x.com/0xacb/status/2016913750557651228 -
New CVE Received by [email protected]
Feb. 01, 2026
Action Type Old Value New Value Added Description OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value. Added CVSS V3.1 AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Added CWE CWE-669 Added Reference https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys Added Reference https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq Added Reference https://openclaw.ai/blog