Add Techlomedia as a preferred source on Google. 
A high-severity security flaw has been discovered in OpenClaw, the open-source AI personal assistant that runs locally on user devices. The issue could allow attackers to execute code remotely on a victim’s system by simply getting them to click a malicious link. The vulnerability is tracked as CVE-2026-25253 and has a CVSS score of 8.8, placing it in the high-risk category.
The flaw was fixed in OpenClaw version 2026.1.29, which was released on January 30, 2026. Users running older versions are strongly advised to update immediately, as the attack does not require complex interaction or special access.
According to OpenClaw creator and maintainer Peter Steinberger, the problem lies in how the Control UI handles a parameter called gatewayUrl. When the interface loads, it automatically trusts this value from the URL query string and initiates a WebSocket connection. In doing so, it sends a stored authentication token without validating where the connection is going. This behavior makes it possible for a crafted link or malicious website to silently send the token to an attacker-controlled server.
Once the token is stolen, the attacker can connect back to the victim’s local OpenClaw gateway. This gives them the ability to change configuration settings, modify sandbox and tool policies, and invoke privileged actions. In practical terms, this can lead to full remote code execution with just one click.
The vulnerability was discovered by security researcher Mav Levin from depthfirst. He explained that the attack chain can complete in milliseconds after a victim visits a malicious web page. The root cause is a cross-site WebSocket hijacking issue, where OpenClaw’s server fails to validate the WebSocket origin header. As a result, it accepts connections from any website, bypassing protections that normally apply to localhost-only services.
A malicious page can run JavaScript in the victim’s browser to retrieve the authentication token, open a WebSocket connection to the local OpenClaw server, and log in using the stolen token. Because the token carries high-level permissions such as operator.admin and operator.approvals, the attacker can disable user confirmations and weaken security boundaries.
Levin noted that attackers can go further by changing settings like tools.exec.host to gateway. This forces OpenClaw to run commands directly on the host machine instead of inside a container. From there, arbitrary commands can be executed using API calls, resulting in a complete system compromise.
The flaw works even when OpenClaw is configured to listen only on the local loopback interface. Since the victim’s browser initiates the outbound connection, network isolation does not stop the attack. Any OpenClaw deployment where a user has logged into the Control UI is potentially affected.
OpenClaw, previously known as Clawdbot and OpenClaw, was first released in November 2025 and has grown rapidly in popularity. Its GitHub repository has crossed 149,000 stars, driven by interest in local AI agents that keep data on user-controlled systems rather than cloud servers. While this model offers privacy benefits, this incident shows how deeply integrated local tools can also amplify security risks.
Users who are using it should update to version 2026.1.29 or later right away. It is also important to rotate authentication tokens after updating and review configuration settings for any unexpected changes. Users should be cautious about clicking unknown links, especially while OpenClaw is running.
Follow Techlomedia on Google News to stay updated. 
Affiliate Disclosure:
This article may contain affiliate links. We may earn a commission on purchases made through these links at no extra cost to you.
