🦞 OpenClaw Trader Pro
OpenClaw · By Dan Machado · 2026

CVE-2026-25253 Explained: The 1-Click OpenClaw RCE

On January 30, 2026, Mav Levin disclosed CVE-2026-25253 — a 1-click RCE in OpenClaw's Gateway that affected 42,665 instances globally. Full walkthrough.

Security context: Three critical CVEs disclosed in OpenClaw in Q1 2026 (CVE-2026-25253, CVE-2026-32922) plus the ClawHavoc supply-chain attack (1,184 malicious skills). Always run v2026.4.12 or later. Full security assessment.

On January 30, 2026, security researcher Mav Levin of depthfirst disclosed CVE-2026-25253: a cross-site WebSocket hijacking flaw in OpenClaw's local Gateway that allowed remote code execution from a single malicious link. CVSS score: 8.8 (high). Disclosure-to-patch time: under 24 hours. Estimated exposed instances at disclosure: 42,665.

This post explains what the vulnerability actually was, why it existed, how the exploit worked end-to-end, what got patched, and what you should do today if you still run an older version. We'll keep the technical depth at "security-curious sysadmin" level — no prior knowledge of WebSocket origins required.

TL;DR — The 30-second answer

  • What: Cross-site WebSocket hijacking on OpenClaw's local Gateway (port 18789). CVSS 8.8.
  • Who found it: Mav Levin, founding security researcher at depthfirst.
  • How long to discover: 100 minutes of source-code reading.
  • Disclosure: January 30, 2026, coordinated.
  • Patch: v2026.1.29 shipped same day. v2026.4.12+ recommended for full coverage.
  • Action item: Run openclaw --version. Below v2026.1.29 = critical; below v2026.4.12 = update now.

What the Gateway does

OpenClaw's Gateway is a small Node.js WebSocket server bound to localhost:18789. It's how every channel (terminal, web UI, WhatsApp relay, Telegram bot) talks to the agent. The Gateway authenticates clients with a token stored in ~/.openclaw/gateway.token, then routes messages.

In an ideal world, only processes on your local machine can talk to the Gateway, because it's bound to localhost only. The vulnerability arose because your browser counts as a local process — and websites you visit can ask your browser to make connections.

The vulnerability in plain English

CVE-2026-25253 attack chain diagram
Five-stage attack chain from malicious link to remote code execution. Each stage uses standard web browser capabilities.

Modern browsers let any website open a WebSocket connection to any address — including ws://localhost:18789. There's no Same-Origin Policy on WebSocket handshakes by default; you have to opt-in to checking the Origin header server-side.

OpenClaw's Gateway, in versions before v2026.1.29, didn't check the Origin header. It checked the auth token, but the token was readable by JavaScript on any page you visited (via a separate XSS-style flaw in how the token was exposed to extensions). A malicious page could:

  1. Trick your browser into requesting the local token via the leaked extension channel.
  2. Open a WebSocket to your local Gateway with that token.
  3. Send a privileged message (like "add a new skill from this URL").
  4. The Gateway, seeing a valid token, executes the command.
  5. The attacker's code now runs as you, with your permissions, on your machine.

Why this is more dangerous than a normal RCE

Most RCEs require the attacker to find your IP, port-scan you, and exploit a server you control. This one didn't — you came to them. A malicious tweet, a poisoned ad, a compromised npm package's README rendered in a browser preview — any of those could trigger the chain. Hence the "1-click" designation.

CVE-2026-25253 disclosure statistics
100 minutes to discover, 24 hours to patch, but 42,665 instances were exposed during the gap.

Maor Dayan's scan during the disclosure window (Conscia 2026 OpenClaw Security Crisis advisory) found 42,665 OpenClaw instances exposed globally. Of those, 5,194 were confirmed vulnerable — meaning they were running affected versions and the Gateway was reachable from the internet (a separate misconfiguration). Even worse, 93.4% had no working authentication, meaning the WebSocket exploit wasn't even required.

What got patched in v2026.1.29

The same-day patch did four things:

  • Added strict Origin header validation on every WebSocket handshake.
  • Rotated the auth token to be inaccessible from browser contexts (moved to OS keyring on macOS/Linux, DPAPI on Windows).
  • Logged every connection attempt with origin and User-Agent for forensics.
  • Bound the Gateway to 127.0.0.1 explicitly, refusing to start if the user tried to bind to 0.0.0.0 without an explicit --allow-external flag.

A subsequent patch in v2026.3.11 added per-token scoping (so a leaked browser token can't issue privileged commands) and v2026.4.12 added the additional sandbox bypass fix from CVE-2026-32922. The recommended version today is v2026.4.12 or later.

How to verify you're patched

  1. Version check: openclaw --version. Anything below v2026.1.29 is critically vulnerable. v2026.4.12+ is current.
  2. Origin enforcement: openclaw config get gateway.origin_check. Should return true.
  3. Binding: lsof -i :18789 on Mac/Linux or netstat -ano | findstr 18789 on Windows. Should show 127.0.0.1:18789, not 0.0.0.0:18789.
  4. Token location: on macOS, security find-generic-password -s OpenClawGateway should return a token. If ~/.openclaw/gateway.token still exists with token contents, you're not migrated.

If you find yourself running v2026.1.28 or older today: update immediately, then rotate every API key (broker, exchange, LLM provider) that was stored on or accessible from that machine. Assume any data on the machine has been exfiltrated.

What this tells us about OpenClaw's security maturity

The good: a researcher could find a critical bug in 100 minutes of reading and the team patched it in under 24 hours. That's faster than 95% of commercial software companies. Mav Levin's disclosure write-up was praised by every security researcher who reviewed it.

The bad: a 100-minute audit should not turn up a CVSS 8.8 in a security-sensitive piece of software with a hundred thousand users. The Gateway was the front door, and the front door wasn't checking who knocked. That's an architectural miss, not a coding miss.

The reasonable take: OpenClaw is software written fast and at huge scale by a small team. Expect more disclosures. Subscribe to the security advisories at github.com/openclaw/openclaw/security/advisories. Don't trust silent updates — pin your version and rebuild deliberately.

Frequently asked questions

Was anyone actually exploited?

We have not seen public reports of confirmed exploitation, but with 42,665 exposed instances and 24 hours of patch lag, it would be naive to assume zero. The Conscia advisory hinted at signs of in-the-wild exploitation but did not publish IOCs.

Does v2026.4.12 fully fix it?

Yes, plus CVE-2026-32922 and several medium-severity issues. Always run the latest patch release.

Should I rotate API keys?

If you ran a vulnerable version with API keys configured: yes, treat them as compromised.

Will there be more CVEs?

Yes. OpenClaw is young, popular software with a wide attack surface. Plan for monthly security reviews.

What to read next

Sources cited: The Hacker News (CVE-2026-25253 disclosure, Feb 2026); Conscia 2026 OpenClaw Security Crisis advisory; Snyk ToxicSkills study; Cyber Press ClawHavoc reporting; Wall Street Journal Polymarket profitability analysis (May 2026); Andrey Sergeenkov via The Defiant (April 2026); Akey, Grégoire, Harvie & Martineau, SSRN paper (March 2026); openclaw.ai official advisories; Peter Steinberger public statements on X. Mav Levin's depthfirst.io public write-up of CVE-2026-25253; ARMO researcher advisory on CVE-2026-32922.