- A critical flaw in the popular AI assistant OpenClaw allows attackers to execute remote code via a single malicious link.
- The vulnerability, patched on January 30, 2026, enabled complete system compromise by exfiltrating authentication tokens.
- With over 149,000 GitHub stars, the locally-run software was vulnerable even when configured to listen only on localhost.
- The one-click exploit chain could bypass critical safety sandboxes to run commands directly on a victim’s host machine.
A severe security vulnerability in the widely-used AI assistant OpenClaw was patched on January 30, 2026, allowing remote code execution through a crafted link. The flaw, tracked as CVE-2026-25253 with a high CVSS score of 8.8, could lead to full gateway compromise.
According to an advisory by creator Peter Steinberger, the Control UI auto-connected using an untrusted query parameter. Consequently, clicking a malicious link could send a gateway token to an attacker-controlled server.
Discovered by Mav Levin of depthfirst, the exploit chain achieved RCE milliseconds after visiting a webpage. Levin detailed how the attack bypassed localhost restrictions via cross-site WebSocket hijacking.
The attacker could then disable user confirmations and escape the safety container. “This forces the agent to run commands directly on the host machine, not inside a Docker container,” Levin said.
Steinberger noted the vulnerability impacted any deployment where a user was authenticated. Meanwhile, the open-source project, which promises user data sovereignty, had gained rapid popularity since its November 2025 release.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
