Welcome back, aspiring cyberwarriors!
The rise of artificial intelligence has brought us some amazing tools that can automate boring tasks, write code, and help manage our digital lives. One of the coolest developments has been the creation of personal AI assistants that run on your own systems. OpenClaw, which was previously known as MoltBot or Clawd Bot, is one of these projects that aims to provide a personal AI assistant with full access to your system and the ability to work across different messaging platforms.
But with that kind of power comes a lot of responsibility. Unfortunately, more functionality often means greater security risks. In late January 2026, a serious vulnerability was found in OpenClaw that allowed attackers to take over accounts with just one click, leading to remote code execution.
In this article, we will try to show how quickly modern AI systems can become targets for attacks if security is not taken seriously from the start. Let’s get rolling!
What is OpenClaw?
OpenClaw is an open-source tool designed to run a personal AI assistant right on your own setup. This assistant can chat with you wherever you are via Telegram, Slack, WhatsApp, or a bunch of other messaging platforms, and it can actually get real work done directly on your machines. That’s what OpenClaw aims to do.
At its core, OpenClaw uses something called an agentic loop, powered by the Lobster workflow shell. This isn’t just some assistant that just waits for commands; it can come up with its own plans and handle complex tasks by connecting different tools. It remembers stuff from past conversations, has deep access to your computer and apps, and can take action on its own without needing you to constantly approve everything.
The Discovery of CVE-2026-25253
I hope you gain a better understanding of OpenClaw. Now, let’s discuss CVE-2026-25253.The vulnerability took advantage of design flaws in how OpenClaw handled WebSocket connections, authentication, and the validation of network requests. The attack works by tricking someone into visiting a malicious site, which could happen through phishing emails or social media. Once the victim lands on the attacker’s page, their browser is silently redirected to the OpenClaw Gateway Control UI with a manipulated URL that directs the WebSocket gateway to the attacker’s server. Because the OpenClaw client automatically connects to the URL specified in the query parameters, the victim’s authentication token is immediately sent to the attacker.
What makes this vulnerability especially risky is that it can affect even local OpenClaw instances not connected to the internet. The attacker can use the victim’s browser as a pivot point. WebSockets don’t have the same Cross-Origin Resource Sharing protections as regular HTTP requests, and the OpenClaw gateway server fails to check the source of WebSocket connections, allowing attackers to exploit an OpenClaw instance running on localhost.
Once the attacker has the authentication token, they can have a full session with the OpenClaw gateway, send messages to the AI agents, and make them execute any command they want. Since OpenClaw is designed to have full access to the system for its tasks, the attacker gains that same level of control over the victim’s machine.
Therefore, the vulnerability’s attack chain is straightforward. First, the attacker sets up a WebSocket server to capture and store stolen authentication tokens. Then they create a malicious webpage that operates in two stages. The first stage opens a new window for the second part of the exploit while redirecting the current one to the OpenClaw Gateway Dashboard with the harmful gateway URL. This triggers the token leakage. In the second stage, the malicious page fetches the stolen token from the attacker’s server, verifies it against the Gateway server, and sends commands to the OpenClaw agents, returning results to the attacker. The entire attack can take just a few seconds, often before the victim even realizes anything is off.
Getting Started with the Proof of Concept in Kali Linux
First of all, we need to clone the PoC from Github:
kali > git clone https://github.com/ethiack/moltbot-1click-rce.git
kali > cd moltbot-1click-rce
The exploit.py file contains the main exploit server that handles WebSocket connections and serves the malicious web pages. The templates directory contains the HTML files that implement the client-side portion of the attack. The Pipfile specifies the Python dependencies needed to run the exploit.
Before we begin, we need to install some dependencies:
kali > pip3 install flask websockets –break-system-packages
Now, let’s open the exploit.py file in a text editor to examine the code structure:
kali > vim exploit.py
The exploit implements two main components. The first is a WebSocket server that listens for incoming connections and saves authentication tokens to a JSON file. When a victim’s browser connects to this server, it automatically extracts and stores their OpenClaw gateway token. The second component is a Flask web application that serves two HTML pages implementing the two-stage attack.
The first HTML page (lolada1), which the victim initially visits, contains JavaScript that opens a new window pointing to the second stage and then redirects the current window to the OpenClaw Gateway Dashboard with a malicious gatewayUrl parameter.
The second HTML page fetches the stolen token from the attacker’s server, implements the signature validation algorithm required by the OpenClaw gateway, establishes a WebSocket connection, and sends arbitrary commands to the AI agents. The results are then exfiltrated back to the attacker’s server.
Setting Up a Vulnerable OpenClaw Instance
To properly test this exploit, you need a vulnerable OpenClaw installation. The vulnerability was patched in commit 8cb0fa9, so you must deploy a version before this fix, for example, 2026.1.11.
The installation process is straightforward:
kali> git clone https://github.com/openclaw/openclaw.git
kali>cd openclaw
Next, we need to install pnpm, a package manager for Node.js that is similar to npm.
kali> sudo npm install -g pnpm
At this point, we can proceed with the installation of OpenClaw.
kali> pnpm install
kali> pnpm ui:build
kali> pnpm build
kali> pnpm dlx openclaw onboard –install-daemon
Next, you will see an installation wizard. If everything works correctly, you will see a prompt like the one below.
Now you’re ready to launch the exploit server:
kali > python3 exploit.py
Keep this terminal window open and running. The exploit server must remain active to receive stolen tokens and serve the attack pages. Open a web browser and navigate to http://127.0.0.1:13337/lolada1. You will see a page like the one below.
When you click “Launch exploit,” the target will see an alert as shown below.
If the target confirms the gateway URL change, we will obtain the authentication token.
In the terminal, it’ll be shown like below:
This token contains all the authentication information needed to impersonate the victim when communicating with the OpenClaw gateway.
Summary
I hope this article highlighted the significant security risks associated with AI systems, using OpenClaw as a case study. We explored how flawed WebSocket handling and authentication processes can lead to serious exploits.
Keep following along, aspiring cyberwarriors! We’ll continue to delve into the intricacies of AI security and provide more insights in future updates.
Source: HackersArise
Source Link: https://hackers-arise.com/cve-2026-25253-how-malicious-links-can-steal-authentication-tokens-and-compromise-openclaw-ai-systems/