OpenClaw AI Assistant Local WebSocket Exposure Enables Browser Session Hijacking
A critical vulnerability in the OpenClaw AI Assistant (aka Clawdbot) allows a malicious website opened in the same browser session to connect to a locally exposed relay service and abuse the Chrome DevTools Protocol (CDP) to hijack browser sessions and steal credentials. Reporting indicates the extension starts a local server on 127.0.0.1:17892 and exposes WebSocket endpoints including /cdp; due to insufficient origin validation, attacker-controlled JavaScript can connect to ws://127.0.0.1:17892/cdp, enumerate tabs, and issue CDP commands (e.g., Runtime.evaluate) to extract cookies/session tokens or execute script in other tabs, impacting high-value services such as Gmail and Microsoft 365. Proof-of-concept code is publicly available and exploitation has been demonstrated, making the attack low-effort and high-impact for affected users.
The issue has reportedly been patched in the latest OpenClaw release, and organizations using the extension should update immediately and assess exposure for potential session-token theft. Separate from OpenClaw, Plone CMS maintainers reported stopping a supply-chain attempt after an attacker used a stolen GitHub personal access token to force-push whitespace-obfuscated malicious code into multiple repositories; the changes were detected before any official release and were assessed as targeting developers rather than Plone site visitors.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Research reports large-scale public exposure of OpenClaw instances
A separate research item highlighted in a security newsletter reported that many OpenClaw instances were publicly exposed on the internet at scale. The reference does not provide a more specific event date beyond the newsletter publication.
OpenClaw patches flaw in version 2026.2.2
The vulnerability was patched by restricting WebSocket connections to valid extension origins and adding authentication to the /cdp endpoint. All OpenClaw versions prior to 2026.2.2 were reported as affected, and users were advised to update or disable the extension.
Proof-of-concept and live demo show practical OpenClaw exploitation
Alongside the disclosure, ZeroPath published proof-of-concept code and a live demonstration showing practical exploitation of the OpenClaw flaw. The research indicated real attack potential, though no public evidence of mass exploitation or APT attribution was reported.
ZeroPath discloses OpenClaw localhost WebSocket/CDP vulnerability
ZeroPath disclosed a critical vulnerability in the OpenClaw AI Assistant browser extension (also known as Clawdbot) that let a malicious website connect to a localhost WebSocket relay and abuse an exposed Chrome DevTools Protocol endpoint. The issue enabled tab enumeration, JavaScript execution in other tabs, and theft of cookies or session tokens for browser session hijacking.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
OpenClaw Vulnerability Enables Token Exfiltration and One-Click RCE via Malicious Link
A high-severity flaw in **OpenClaw** (also known as *Clawdbot* / *Moltbot*) enables **one-click remote code execution (RCE)** by abusing how the Control UI auto-connects to a gateway specified via a crafted URL. The issue is tracked as **CVE-2026-25253** (CVSS **8.8**) and was fixed in **OpenClaw 2026.1.29**; the core weakness is that the UI trusts `gatewayUrl` from the query string and sends a stored gateway token in the WebSocket connection payload, allowing **token exfiltration** to an attacker-controlled server. With the stolen token, an attacker can connect to the victim’s local gateway and perform privileged actions—such as modifying configuration (e.g., sandbox/tool policies) and invoking privileged operations—resulting in **full gateway compromise** and RCE. Separate reporting also highlights architectural risk in OpenClaw’s local WebSocket-based Chrome orchestration, noting that (prior to patching) unauthenticated connections could be initiated from JavaScript running in a user’s browser, enabling cross-tab/session credential theft; users are advised to **patch immediately** and be cautious about deployment given ongoing security concerns.
Mar 21, 2026
OpenClaw AI Agent Exposures and One-Click RCE via WebSocket Hijacking
The open-source autonomous AI assistant **OpenClaw** (previously *Clawdbot* and *Moltbot*) is drawing security scrutiny after rapid adoption coincided with both widespread unsafe deployments and newly disclosed exploit chains. Reporting highlighted that the project’s autonomy-focused design (integrations with email, calendars, smart-home services, and other action-taking connectors) increases blast radius when misconfigured, and that security concerns have persisted through multiple rebrands as the ecosystem grows quickly. Internet scanning data indicated **21,000+ OpenClaw/Moltbot instances** were publicly exposed despite documentation recommending local-only access (default `TCP/18789`) and remote access via **SSH tunneling** rather than direct internet exposure; even where tokens are required for full access, exposed endpoints can aid adversary reconnaissance and targeting. Separately, researchers disclosed a **one-click RCE** chain leveraging **cross-site WebSocket hijacking** due to missing WebSocket `Origin` validation, enabling a malicious webpage to obtain an auth token, connect to the OpenClaw server, disable safety prompts/sandboxing, and invoke command execution (e.g., via `node.invoke`); the project issued a patch and advisory, while adjacent ecosystem components (e.g., agent-focused social features) were also flagged as adding additional attack surface.
May 27, 2026
OpenClaw (ClawdBot/Moltbot) One-Click Remote Code Execution via Unsafe Gateway URL Handling
A **critical one-click remote code execution (RCE)** issue was reported in *OpenClaw* (also referred to as **ClawdBot/Moltbot**), an open-source AI “agent” assistant that runs with high local privileges and access to sensitive data (e.g., messaging apps and API keys). The described exploit chain abuses **unsafe URL parameter ingestion** (e.g., a `gatewayUrl` query parameter accepted without validation), persistence of attacker-controlled values (stored in `localStorage`), and an **automatic gateway connection** that transmits an `authToken` during the handshake—enabling **cross-site WebSocket hijacking** and ultimately unauthenticated code execution after a victim clicks a single malicious link. Reporting indicates the flaw has been **weaponized**, making it a practical drive-by compromise path for endpoints running the assistant. Separate reporting highlighted broader concerns with agentic/open-source AI tooling and deployments, including the security risks of highly privileged “AI that acts for you” and the growing attack surface created by exposed AI services. Research cited large-scale internet exposure of open-source LLM runtimes (e.g., **Ollama**) with tool-calling and weak guardrails, warning that a single vulnerability or misconfiguration could enable widespread abuse (resource hijacking, identity laundering, or remote execution of privileged operations). These themes reinforce that AI agents and self-hosted AI stacks should be treated as **critical infrastructure**, with strict input validation, hardened update/connection flows, and strong monitoring around token handling and outbound connections.
Mar 21, 2026