CVE-2026-25253
Severity CVSS v4.0:
Pending analysis
Type:
CWE-669
Incorrect Resource Transfer Between Spheres
Publication date:
01/02/2026
Last modified:
13/02/2026
Description
OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.
Impact
Base Score 3.x
8.80
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:* | 2026.1.29 (excluding) |
To consult the complete list of CPE names with products and versions, see this page
References to Advisories, Solutions, and Tools
- https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
- https://ethiack.com/news/blog/one-click-rce-moltbot
- https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq
- https://openclaw.ai/blog
- https://x.com/0xacb/status/2016913750557651228
- https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys