Autres informations et services du gouvernement : www.belgium.be Centre for Cybersecurity Belgium
search

Warning: Critical vulnerability in OpenClaw allows 1‑click remote code execution when processing attacker‑controlled content, Patch Immediately!

Image
Decorative image
Publié : 02/02/2026

    * Last update:  02/02/2026
   
    * Affected software:: OpenClaw (Clawdbot / Moltbot) before 2026.1.29
 
    * Type: CWE-669: Incorrect Resource Transfer Between Spheres

    * CVE/CVSS: CVE‑2026‑25253: CVSS 8.8 (CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

 

Sources

 
GitHub: https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq

Risks

This vulnerability in OpenClaw permits remote code execution and unauthorized access to locally stored data and credentials when the bot processes attacker‑controlled web content. Developers, automation engineers, and organizations building or operating automation workflows are particularly vulnerable to this issue.

The impact to confidentiality, integrity and availability is high.
It’s especially dangerous because the attack requires almost no user interaction. Simply having OpenClaw render or visit attacker‑controlled content can trigger local code execution, allowing an attacker to steal stored API keys, tokens, and data without authentication or prior access in seconds.

Since bots often run unattended and with elevated access to sensitive credentials, a single click or automated fetch can silently turn into a remote code execution and broad system compromise.

There is currently no evidence that this vulnerability has been exploited in the wild.

Description

This weakness allows attackers to carry out the following:

  1. Delivery - The attacker lures the user or automation into having OpenClaw visit, preview, or render a malicious webpage or embedded content.
  2. Content execution - The bot renders the attacker‑controlled content using a vulnerable execution context, allowing injected code to escape intended isolation.
  3. Execute - Arbitrary code executes locally under the privileges of the OpenClaw process without additional user interaction.
  4. Post‑compromise impact - The attacker can exfiltrate locally stored data and API keys, manipulate bot behavior, pivot into connected services, and potentially leverage the compromised host for further access into developer or automation environments.

Recommended Actions

 
Patch  
The Centre for Cybersecurity Belgium strongly recommends installing updates for vulnerable devices with the highest priority, after thorough testing.
 
Monitor/Detect 

The CCB recommends organizations upscale monitoring and detection capabilities to identify any related suspicious activity, ensuring a swift response in case of an intrusion.
 
In case of an intrusion, you can report an incident via: https://ccb.belgium.be/report-incident.

While patching appliances or software to the newest version may provide safety from future exploitation, it does not remediate historic compromise.
 
 

References

NVD: https://nvd.nist.gov/vuln/detail/CVE-2026-25253
DepthFirst: https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys