{"id":230383,"date":"2026-02-03T01:31:24","date_gmt":"2026-02-03T07:31:24","guid":{"rendered":"https:\/\/lifeboat.com\/blog\/2026\/02\/openclaw-bug-enables-one-click-remote-code-execution-via-malicious-link"},"modified":"2026-02-03T01:31:24","modified_gmt":"2026-02-03T07:31:24","slug":"openclaw-bug-enables-one-click-remote-code-execution-via-malicious-link","status":"publish","type":"post","link":"https:\/\/lifeboat.com\/blog\/2026\/02\/openclaw-bug-enables-one-click-remote-code-execution-via-malicious-link","title":{"rendered":"OpenClaw Bug Enables One-Click Remote Code Execution via Malicious Link"},"content":{"rendered":"<p><a class=\"aligncenter blog-photo\" href=\"https:\/\/lifeboat.com\/blog.images\/openclaw-bug-enables-one-click-remote-code-execution-via-malicious-link2.jpg\"><\/a><\/p>\n<p>A high-severity security flaw has been disclosed in <a href=\"https:\/\/github.com\/openclaw\/openclaw\" rel=\"noopener\" target=\"_blank\">OpenClaw<\/a> (formerly referred to as Clawdbot and Moltbot) that could allow remote code execution (RCE) through a crafted malicious link.<\/p>\n<p>The issue, which is tracked as <strong><a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-25253\" rel=\"noopener\" target=\"_blank\">CVE-2026\u201325253<\/a><\/strong> (CVSS score: 8.8), has been addressed in <a href=\"https:\/\/github.com\/openclaw\/openclaw\/releases\/tag\/v2026.1.29\" rel=\"noopener\" target=\"_blank\">version 2026.1.29<\/a> released on January 30, 2026. It has been described as a token exfiltration vulnerability that leads to full gateway compromise.<\/p>\n<p>\u201cThe Control UI trusts gatewayUrl from the query string without validation and auto-connects on load, sending the stored gateway token in the WebSocket connect payload,\u201d OpenClaw\u2019s creator and maintainer Peter Steinberger <a href=\"https:\/\/github.com\/openclaw\/openclaw\/security\/advisories\/GHSA-g8p2-7wf7-98mq\" rel=\"noopener\" target=\"_blank\">said<\/a> in an advisory.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A high-severity security flaw has been disclosed in OpenClaw (formerly referred to as Clawdbot and Moltbot) that could allow remote code execution (RCE) through a crafted malicious link. The issue, which is tracked as CVE-2026\u201325253 (CVSS score: 8.8), has been addressed in version 2026.1.29 released on January 30, 2026. It has been described as a [\u2026]<\/p>\n","protected":false},"author":427,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1492,1491],"tags":[],"class_list":["post-230383","post","type-post","status-publish","format-standard","hentry","category-security","category-transportation"],"_links":{"self":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/230383","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/users\/427"}],"replies":[{"embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/comments?post=230383"}],"version-history":[{"count":0,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/posts\/230383\/revisions"}],"wp:attachment":[{"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/media?parent=230383"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/categories?post=230383"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lifeboat.com\/blog\/wp-json\/wp\/v2\/tags?post=230383"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}