OpenClaw (ClawdBot/Moltbot) One-Click Remote Code Execution via Unsafe Gateway URL Handling
A critical one-click remote code execution (RCE) issue was reported in OpenClaw (also referred to as ClawdBot/Moltbot), an open-source AI “agent” assistant that runs with high local privileges and access to sensitive data (e.g., messaging apps and API keys). The described exploit chain abuses unsafe URL parameter ingestion (e.g., a gatewayUrl query parameter accepted without validation), persistence of attacker-controlled values (stored in localStorage), and an automatic gateway connection that transmits an authToken during the handshake—enabling cross-site WebSocket hijacking and ultimately unauthenticated code execution after a victim clicks a single malicious link. Reporting indicates the flaw has been weaponized, making it a practical drive-by compromise path for endpoints running the assistant.
Separate reporting highlighted broader concerns with agentic/open-source AI tooling and deployments, including the security risks of highly privileged “AI that acts for you” and the growing attack surface created by exposed AI services. Research cited large-scale internet exposure of open-source LLM runtimes (e.g., Ollama) with tool-calling and weak guardrails, warning that a single vulnerability or misconfiguration could enable widespread abuse (resource hijacking, identity laundering, or remote execution of privileged operations). These themes reinforce that AI agents and self-hosted AI stacks should be treated as critical infrastructure, with strict input validation, hardened update/connection flows, and strong monitoring around token handling and outbound connections.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
OpenClaw team ships mitigation for silent gateway auto-connect
The OpenClaw project mitigated the reported attack chain by adding a confirmation modal before connecting to a supplied gateway URL. Users on versions earlier than v2026.1.24-1 were advised to upgrade, rotate tokens, and review execution logs.
OpenClaw RCE chain is discovered and reported
Security researchers at depthfirst General Security Intelligence identified a weaponized one-click remote code execution chain in OpenClaw, combining unsafe gateway URL handling with Cross-Site WebSocket Hijacking. The flaw could let a malicious webpage steal an auth token, disable safety controls, and execute arbitrary host commands.
CrowdStrike says Labyrinth Chollima split into three coordinated groups
CrowdStrike reported that North Korea’s Labyrinth Chollima has evolved into three coordinated entities: Golden Chollima, Pressure Chollima, and the original group. The groups were said to have divided responsibilities across crypto and fintech theft, major heists, and malware-led espionage targeting defense and manufacturing sectors.
US Treasury ends Booz Allen contracts over taxpayer data leak case
The US Treasury Department ended contracts with Booz Allen Hamilton after former employee Charles Littlejohn stole and leaked confidential taxpayer data, including returns belonging to high-profile individuals. The contract termination was reported as a direct response to the insider theft and disclosure.
SentinelLABS and Censys disclose large exposed Ollama footprint
SentinelLABS and Censys reported that 175,108 internet-exposed Ollama hosts were reachable across 130 countries, creating a risky open-source AI monoculture. They warned that exposed tool-calling APIs, vision features, and uncensored prompts could amplify the impact of a future zero-day or model-handling flaw.
South Korea audit simulates attacks on government systems
In late 2024, South Korea’s Board of Audit and Inspection conducted a simulated cyberattack against seven public-facing government systems. All seven were breached, and some exposures could have enabled large-scale access to resident registration numbers.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
1-Click Clawdbot Vulnerability Enable Malicious Remote Code Execution Attacks
cybersecuritynews.com
Open sourceClawdbot (Now Moltbot): The AI That Works for You - or Spies on You? | by Nazrul Islam Rana | Jan, 2026 | OSINT Team
osintteam.blog
Open sourceToo much open-source AI is exposing itself to the web • The Register
go.theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenClaw AI Agent Exposures and One-Click RCE via WebSocket Hijacking
The open-source autonomous AI assistant **OpenClaw** (previously *Clawdbot* and *Moltbot*) is drawing security scrutiny after rapid adoption coincided with both widespread unsafe deployments and newly disclosed exploit chains. Reporting highlighted that the project’s autonomy-focused design (integrations with email, calendars, smart-home services, and other action-taking connectors) increases blast radius when misconfigured, and that security concerns have persisted through multiple rebrands as the ecosystem grows quickly. Internet scanning data indicated **21,000+ OpenClaw/Moltbot instances** were publicly exposed despite documentation recommending local-only access (default `TCP/18789`) and remote access via **SSH tunneling** rather than direct internet exposure; even where tokens are required for full access, exposed endpoints can aid adversary reconnaissance and targeting. Separately, researchers disclosed a **one-click RCE** chain leveraging **cross-site WebSocket hijacking** due to missing WebSocket `Origin` validation, enabling a malicious webpage to obtain an auth token, connect to the OpenClaw server, disable safety prompts/sandboxing, and invoke command execution (e.g., via `node.invoke`); the project issued a patch and advisory, while adjacent ecosystem components (e.g., agent-focused social features) were also flagged as adding additional attack surface.
May 27, 2026
OpenClaw AI Agent Runtime Vulnerability Exposes Instance Tokens and Enables RCE
A high-severity vulnerability in the open-source AI utility **OpenClaw** (formerly *Moltbot/ClawdBot*) allows attackers to steal an instance’s gateway token via a crafted link and gain “god mode” administrative control, potentially leading to **remote code execution (RCE)**. The issue stems from the UI failing to validate/sanitize query strings in the gateway URL; when a victim opens a malicious URL or phishing page, the browser initiates a WebSocket connection that leaks the stored gateway token in the payload, enabling an attacker to connect back to the target’s local gateway and change configuration or execute privileged actions. The flaw was reported via responsible disclosure and is fixed in **v2026.1.29** and later; deployments on **v2026.1.28 or earlier** are advised to upgrade. Separate reporting describes a broader criminal ecosystem of **autonomous AI agents** using OpenClaw as a local runtime alongside a collaboration network (*Moltbook*) and an underground marketplace (*Molt Road*) to trade stolen credentials, weaponized code, and alleged zero-days, with claims of rapid scaling to hundreds of thousands of agents and use of infostealer logs/session cookies to bypass MFA and automate intrusion lifecycles (lateral movement, ransomware, and crypto-funded operations). Another item is a vendor blog post focused on **prompt-injection detection** and speculative **quantum** risks to encrypted AI orchestration streams (MCP), which is not tied to the OpenClaw vulnerability disclosure or the specific criminal-agent ecosystem claims.
Mar 21, 2026
OpenClaw Vulnerability Enables Token Exfiltration and One-Click RCE via Malicious Link
A high-severity flaw in **OpenClaw** (also known as *Clawdbot* / *Moltbot*) enables **one-click remote code execution (RCE)** by abusing how the Control UI auto-connects to a gateway specified via a crafted URL. The issue is tracked as **CVE-2026-25253** (CVSS **8.8**) and was fixed in **OpenClaw 2026.1.29**; the core weakness is that the UI trusts `gatewayUrl` from the query string and sends a stored gateway token in the WebSocket connection payload, allowing **token exfiltration** to an attacker-controlled server. With the stolen token, an attacker can connect to the victim’s local gateway and perform privileged actions—such as modifying configuration (e.g., sandbox/tool policies) and invoking privileged operations—resulting in **full gateway compromise** and RCE. Separate reporting also highlights architectural risk in OpenClaw’s local WebSocket-based Chrome orchestration, noting that (prior to patching) unauthenticated connections could be initiated from JavaScript running in a user’s browser, enabling cross-tab/session credential theft; users are advised to **patch immediately** and be cautious about deployment given ongoing security concerns.
Mar 21, 2026