Recently, the open-source AI assistant project OpenClaw (formerly known as Moltbot/ClawdBot) was found to contain a highly severe security vulnerability. According to security research reports, the flaw allows attackers to obtain a user’s authentication token by tricking them into clicking a malicious link, ultimately leading to Remote Code Execution (RCE).
OpenClaw Official Website:
https://openclaw.ai/
- 1-Click RCE Exploit Kill Chain source: depthfirst)
If you are using this project, please pay close attention to the technical details below and take immediate action.
Vulnerability Details: From “Trust” to Compromise
According to disclosed information, the core issue lies in excessive trust in the gatewayUrl parameter by the control console. The vulnerability unfolds in three key stages:
1. Auto Connection & Token Leakage
When loading, the OpenClaw console directly reads the gatewayUrl parameter from the URL and attempts to establish a connection automatically. Due to the lack of proper validation, attackers can craft a malicious link pointing to their own server.
-
Impact: Once the user clicks the link, the console sends the locally stored authentication token directly to the attacker’s server via a WebSocket handshake request.
2. Privilege Takeover
With the stolen token, the attacker effectively gains full control over the victim’s OpenClaw instance. Even if the service is running only on localhost (127.0.0.1), the attacker can still remotely connect to the local gateway using the stolen credentials.
3. Final Stage: Remote Code Execution (RCE)
By modifying configuration files, the attacker can perform the following actions:
-
Disable user confirmation prompts before execution.
-
Modify tool invocation strategies.
-
Invoke high-privilege APIs.
Ultimately, the attacker can execute arbitrary code on the victim’s machine, achieving full system compromise.
Impact Scope
-
Affected versions: v2026.1.28 and all earlier versions.
-
Severity: Critical. A user can be compromised with a single malicious link click, requiring no additional interaction.
Fix Recommendations & Action Guide
The official team has already acknowledged the issue and released a patch. To ensure your environment is secure, please take the following actions immediately:
-
Immediate upgrade: Ensure you are running the latest version of OpenClaw. The new version introduces a confirmation prompt for gateway URLs to prevent automatic connection to untrusted endpoints.
-
Rotate tokens: If you suspect you have clicked any suspicious OpenClaw-related link, or as a precaution, immediately rotate your authentication token. Old tokens must be invalidated to prevent persistent access.
-
Beware of suspicious links: Avoid clicking OpenClaw console URLs containing parameters like
?gatewayUrl=...shared on social platforms or communities.
Conclusion
While open-source tools bring great convenience, security is always a critical concern. This OpenClaw vulnerability once again highlights the importance of validating URL parameters and properly protecting sensitive credentials such as tokens.
Developers and AI enthusiasts are advised to immediately review their environments and ensure all patches are applied.
Given OpenClaw’s frequent rebranding and rapid iteration in early 2026, the most secure and authoritative update sources and patches are currently available through the following three channels.
Note that the project now uses a date-based versioning scheme (e.g., 2026.1.30).
1. Official Repository & Releases (GitHub)
This is the primary source for patches, source code, and prebuilt binaries (.dmg, .zip).
-
Access link:
github.com/openclaw/openclaw/releases
-
Latest version: As of early February 2026, the latest version is v2026.1.30.
-
Key fixes: This patch addresses critical security issues (such as restricting local path extraction in the media parser to prevent LFI vulnerabilities) and improves Telegram/Discord connection stability.
2. NPM Official Package Manager (CLI)
If you installed via command line, you can update to the latest stable version using:
# Update to latest version npm install -g openclaw@latest # Run diagnostics after update openclaw doctor
Note: With the rebranding, the old package name “moltbot” has been deprecated. Please migrate to “openclaw”.
3. Official Documentation & One-Click Deployment (Recommended for Beginners)
For platform-specific deployment patches (e.g., Railway, Cloudflare, Docker), visit the dynamically updated documentation portal:
-
Official docs: docs.openclaw.io (or DOCS.md inside the GitHub repository)
-
Docker: recommended to pull the latest image directly:
docker pull openclaw/openclaw:latest
⚠️ Major Version Change Notice
In the latest 2026.1.29+ patch, the project has removed the auth: none mode.
-
Change: Authentication via token or password is now mandatory for security reasons.
-
Recommendation: If you cannot connect after upgrading, check your config.yaml or environment variables and ensure authentication credentials are properly set.
Related YouTube video:
