OpenClaw WebSocket Token Exfiltration Vulnerability Leading to Remote Code Execution

A vulnerability in OpenClaw (formerly Moltbot) versions prior to 2026.1.29 allows for unauthorized WebSocket connections that exfiltrate authentication tokens, leading to remote code execution. The issue arises because the application automatically connects to a specified gateway URL from the query string without validation, sending the auth token in the process. This vulnerability can be exploited even on local instances of OpenClaw.

Impact

Exploitation of this vulnerability allows for authentication token theft, granting attackers operator-level access to the OpenClaw gateway API. This access enables arbitrary configuration changes and execution of commands on the host machine, achieving remote code execution.

Reproduction

To reproduce this vulnerability, a victim must click a malicious link that includes a crafted WebSocket gateway URL. This action triggers the application to connect to the attacker's server, sending along the authentication token. Once the token is intercepted, the attacker can use it to access the victim's OpenClaw instance and perform actions on their behalf. To exploit the vulnerability on a local OpenClaw instance, the attacker can bypass network restrictions by exploiting Cross-Site WebSocket Hijacking, using the stolen token to connect to the victim's localhost and disable safety features, ultimately executing arbitrary commands.

Remediation

Users are advised to upgrade to OpenClaw version 2026.1.29 or later and rotate their authentication tokens if they suspect a leak.