{"id":10327,"date":"2026-02-02T10:03:47","date_gmt":"2026-02-02T10:03:47","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/02\/1-click-clawdbot-vulnerability-enable-malicious-remote-code-execution-attacks\/"},"modified":"2026-02-02T10:03:47","modified_gmt":"2026-02-02T10:03:47","slug":"1-click-clawdbot-vulnerability-enable-malicious-remote-code-execution-attacks","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/02\/1-click-clawdbot-vulnerability-enable-malicious-remote-code-execution-attacks\/","title":{"rendered":"1-Click Clawdbot Vulnerability Enable Malicious Remote Code Execution Attacks"},"content":{"rendered":"

1-Click Clawdbot Vulnerability Enable Malicious Remote Code Execution Attacks
\n \t

\n
<\/BR>
\n
\n \t

\n
<\/BR><\/p>\n

\n

A critical vulnerability in OpenClaw, the open-source AI personal assistant trusted by over 100,000 developers, has been discovered and weaponized into a devastating one-click<\/a> remote code execution exploit.<\/p>\n

Security researchers at depthfirst General Security Intelligence uncovered a logic flaw that, when combined with other vulnerabilities, could trigger a chain reaction.<\/p>\n

Allows attackers to gain complete control of victim systems via a single\u00a0malicious link<\/a>, requiring no user interaction<\/span>.<\/p>\n

Vulnerability Overview: Technical Attack Mechanics<\/strong><\/h2>\n

OpenClaw\u2019s architecture grants AI agents \u201cgod mode\u201d access to messaging apps,\u00a0API keys, and unrestricted control of the local computer<\/span>.<\/p>\n

While community enthusiasm surrounding the platform has driven rapid adoption, the security margin for error in such a high-privilege environment becomes razor-thin.<\/p>\n

\n\n\n\n\n\n\n\n\n\n
Attribute<\/strong><\/th>\nDetails<\/strong><\/th>\n<\/tr>\n<\/thead>\n
Product<\/strong><\/td>\nOpenClaw (formerly ClawdBot\/Moltbot)<\/td>\n<\/tr>\n
Vulnerability Type<\/strong><\/td>\nUnsafe URL Parameter Handling + Cross-Site WebSocket Hijacking<\/td>\n<\/tr>\n
Impact<\/strong><\/td>\nUnauthenticated Remote Code Execution with System-Level Access<\/td>\n<\/tr>\n
CVSS Score<\/strong><\/td>\nCritical (9.8+)<\/td>\n<\/tr>\n
Attack Vector<\/strong><\/td>\nNetwork (Single Malicious Link)<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

The newly disclosed vulnerability exploits three distinct components working in sequence: unsafe URL parameter ingestion, immediate gateway connection without validation, and automatic transmission of authentication tokens.<\/p>\n

The exploitation chain begins with three seemingly benign operations occurring independently across the codebase.<\/p>\n

The app-settings.ts module blindly accepts the\u00a0gatewayUrl\u00a0query parameter from the URL without validation, then stores it directly in localStorage.<\/p>\n

Upon setting the application, the app-lifecycle.ts immediately triggers\u00a0connectGateway(), which automatically bundles the security-sensitive authToken into the connection handshake to the attacker-controlled gateway server.<\/p>\n

\"1-Click
1-Click RCE Exploit Kill Chain source: depthfirst)<\/figcaption><\/figure>\n

This pattern creates a critical information disclosure vulnerability. The kill chain exploits an additional WebSocket origin validation flaw.<\/p>\n

\n\n\n\n\n\n\n\n\n\n\n
Stage<\/th>\nDescription<\/th>\n<\/tr>\n<\/thead>\n
Visit<\/td>\nUser lands on malicious site.<\/td>\n<\/tr>\n
Load<\/td>\nJS loads OpenClaw with malicious gatewayUrl<\/code>.<\/td>\n<\/tr>\n
Leak<\/td>\n\nauthToken<\/code> sent to attacker.<\/td>\n<\/tr>\n
Connect<\/td>\nWebSocket opened to localhost<\/code>.<\/td>\n<\/tr>\n
Bypass<\/td>\nSafety guardrails disabled.<\/td>\n<\/tr>\n
Execute<\/td>\nAttacker runs arbitrary commands.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<\/figure>\n

When victims visit a malicious webpage, attacker-injected JavaScript executes within their browser context, establishing a local connection to the victim\u2019s OpenClaw instance running on localhost:18789.<\/p>\n

Unlike standard HTTP connections, browser WebSocket implementations do not enforce Same-Origin Policy protections; instead, they rely on server-side origin header validation, which OpenClaw omits entirely.<\/p>\n

This Cross-Site WebSocket Hijacking <\/a>(CSWSH) enables the attacker to pivot through the victim\u2019s browser as a proxy.<\/p>\n

Once authenticated via the stolen token, the attacker leverages the operator. admin and operator roles. approvals, and scopes to turn off safety mechanisms.<\/p>\n

An\u00a0exec. approvals.set\u00a0request turns off user confirmation prompts, while a\u00a0config. patch\u00a0request sets\u00a0tools.exec.host\u00a0to \u201cgateway,\u201d forcing command execution directly on the host machine rather than within containerized sandboxes<\/a>.<\/p>\n

The final payload invokes\u00a0node. invoke\u00a0with arbitrary bash commands, achieving complete system compromise.<\/p>\n

Mitigations<\/strong><\/h2>\n

The OpenClaw development team rapidly addressed the vulnerability by implementing a gateway URL confirmation modal, eliminating the auto-connect without prompt behavior that enabled the attack.<\/p>\n

DepthFirst advises<\/a> all users running versions before v2026.1.24-1 remain vulnerable and should upgrade immediately.<\/p>\n

Administrators should rotate authentication<\/a> tokens and audit command execution logs for suspicious activity.<\/p>\n

This incident underscores the security risks inherent in granting AI agents unrestricted system access without robust validation of configuration changes and network connections.<\/p>\n

Organizations deploying OpenClaw should implement additional network segmentation, restrict outbound WebSocket connections from AI agent processes, and maintain strict audit logging for authentication token usage and privilege modifications.<\/p>\n

Follow us on Google News<\/a>, LinkedIn<\/a>, and X<\/a> for daily cybersecurity updates. Contact us<\/a> to feature your stories.<\/strong><\/p>\n

The post 1-Click Clawdbot Vulnerability Enable Malicious Remote Code Execution Attacks<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\n

\t

\n
<\/BR>
\n Abinaya
\n \t

\n
<\/BR>
\nGo to cyber-security-news<\/a>
\n \t

\n
<\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"

1-Click Clawdbot Vulnerability Enable Malicious Remote Code Execution Attacks A critical vulnerability in OpenClaw, the open-source AI personal assistant trusted by over 100,000 developers, has been discovered and weaponized into a devastating one-click remote code execution exploit. Security researchers at depthfirst General Security Intelligence uncovered a logic flaw that, when combined with other vulnerabilities, could […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[167,129,63,648],"tags":[130],"class_list":["post-10327","post","type-post","status-publish","format-standard","hentry","category-ai","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10327"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10327"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10327\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10327"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10327"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10327"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}