BLUF

 A crafted link/website can exfiltrate an OpenClaw Control UI auth token via an unvalidated gateway URL query parameter and then use Cross-Site WebSocket Hijacking to pivot into localhost, disable guardrails, and achieve operator-level takeover and command execution. Patched in v2026.1.29.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by the OpenClaw / Moltbot one-click remote code execution and control-plane takeover vulnerability (CVE-2026-25253):

·       Low-end total cost: $150K – $350K

o   (isolated endpoint compromise, rapid token revocation, no lateral spread)

·       Typical expected range: $600K – $1.8M

o   (multiple users exposed, host-level execution confirmed, limited containment window)

·       Upper-bound realistic scenarios: $3.0M – $6.5M

o   (agent with privileged access abused, secondary system impact, regulatory scrutiny)

Key Cost Drivers

·       Number of exposed auth tokens and time to revocation

·       Privilege level of OpenClaw/Moltbot host access

·       Scope of command execution and configuration tampering

·       Need for enterprise-wide token rotation and rebuilds

·       External investigation, legal review, and audit requirements

Potential affected sectors

·       Software/DevOps

·       Tech startups

·       Consulting

·       Any enterprise/self-hosted AI-agent users

o   Especially where OpenClaw has privileged host access or access to messaging/workspace integrations.

Potential impacted countries

·       Global

Date first reported activity

·       Feb 1, 2026

Date of last reported activity update

·       Feb 3, 2026

CVE-2026-25253

CVSS:3.1

·       (8.8) /AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Nessus/ Tenableplugin ID

·       Tenable site says that this is coming soon

Is CVE in the KEV catalog?

·       Not at this time

Patch release date

·       Jan 30, 2026

Alternative Mitigations

·       Rotate/revoke tokens if exposure is suspectedAttribution

APT names

·       CVE-2026-25253

Criminal org names

·       Not publicly attributed

IOCs

Web / URL patterns

Presence of gatewayUrl query param being set to attacker-controlled WS endpoint, e.g. ...?gatewayUrl=ws://attacker.com:8080

Network

·       WebSocket connections from victim browser to:

·       Attacker WS listener (token leakage)

·       Local OpenClaw default WS service (example shown): ws://localhost:18789

API actions indicative of abuse

·       Requests that disable safety controls, e.g. exec.approvals.set (ask:"off") and config changes like tools.exec.host:"gateway"

·       Command invocation via node.invoke / system.run patterns

Tools used

·       Client-side JavaScript for token exfiltration + WS pivot (CSWSH)

·       WebSocket abuse (origin not validated)

TTPs

·       T1204.001 User Execution: Malicious Link

o   The attack initiates when a victim clicks a crafted link or visits a malicious webpage that contains a gatewayUrl parameter pointing to an attacker-controlled server.

·       T1557 Adversary-in-the-Middle (AiTM)

o   By blindly trusting the gatewayUrl from the query string, the application establishes a WebSocket connection to the attacker's server, enabling the attacker to sit between the user's browser and the intended service.

·       T1081 Credentials in Files: Token Exfiltration

o   During the automatic WebSocket handshake, the application transmits the user's stored authentication token (authToken) in the connect payload to the attacker's server.

·       T1190 Exploit Public-Facing Application: Cross-Site WebSocket Hijacking (CSWSH)

o   The attacker uses the stolen token and the application’s failure to validate the WebSocket Origin header to pivot into the victim's local network (e.g., ws://localhost:18789), bypassing firewall protections.

·       T1562.001 Impair Defenses: Disable or Modify Tools

o   Once connected, the attacker uses the high-privilege token to disable user confirmation prompts (by setting exec.approvals.set to off) and escape the Docker sandbox (by patching tools.exec.host to gateway).

·       T1203 Exploitation for Client Execution

o   Finally, the attacker issues a node.invoke request to the API, achieving arbitrary command execution directly on the host machine.

Malware names

·       There has not been any malware associated with CVE-2026-25253 at this time.

Delivery method

·       Malicious link / web visit (one-click).

Email samples

·       This has not been made available in public reporting

Suggested rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

·       Detect OpenClaw Control UI token-leak style gatewayUrl injection attempts (HTTP)

alert http $EXTERNAL_NET any -> $HOME_NET any (

  msg:"OpenClaw possible CVE-2026-25253 gatewayUrl injection attempt";

  flow:to_server,established;

  http.uri; content:"gatewayUrl="; nocase;

  classtype:web-application-attack;

  sid:26025253; rev:1;

)

·       Detect WebSocket upgrade traffic to typical OpenClaw local port (tune to your env)

alert http $HOME_NET any -> $HOME_NET 18789 (

  msg:"OpenClaw local WebSocket access (review for CSWSH abuse)";

  flow:to_server,established;

  http.header; content:"Upgrade|3a| websocket"; nocase;

  classtype:policy-violation;

  sid:26025254; rev:1;

)

SentinelOne

·       Detect gatewayUrl= injection attempts in visited URLs / web traffic

EventType = "Network"

AND NetworkUrl Contains "gatewayUrl="

AND (

  NetworkUrl Contains "ws://"

  OR NetworkUrl Contains "wss://"

  OR NetworkUrl Contains "%3A%2F%2F"     /* URL-encoded :// */

  OR NetworkUrl RegExp "gatewayUrl=.*(ws|wss)%3A%2F%2F"

)

·       Pivot: group by AgentName, then pivot by ProcessGroupId for the same timeframe.

·       Browser making localhost WebSocket connections (CSWSH pivot)

EventType = "Network"

AND (DstIP = "127.0.0.1" OR DstIP = "::1")

AND (

  DstPort IN (18789, 80, 443, 3000, 5000, 8000, 8080, 8443, 9000)

)

AND ParentProcessName RegExp "(chrome|msedge|edge|firefox|safari|brave|opera)"

Notes

Keep 18789 as the primary signal (from the public PoC path).

The extra ports catch environment drift (if OpenClaw WS port differs).

·       Browser → external WebSocket shortly before/after localhost pivot

EventType = "Network"

AND ParentProcessName RegExp "(chrome|msedge|edge|firefox|safari|brave|opera)"

AND (

  NetworkUrl Contains "ws://"

  OR NetworkUrl Contains "wss://"

  OR NetworkUrl RegExp "Upgrade.*websocket"

)

AND NOT (DstIP = "127.0.0.1" OR DstIP = "::1")

·       OpenClaw/Moltbot process spawning shells (post-pivot execution)

EventType = "Process"

AND ParentProcessName RegExp "(openclaw|moltbot|node|python)"

AND ProcessName RegExp "(bash|sh|zsh|cmd|powershell|pwsh)"

High-signal add-ons

AND (

  ProcessCmd RegExp "(curl|wget|Invoke-WebRequest|iwr|certutil)"

  OR ProcessCmd RegExp "(base64|chmod\\s\\+x|/tmp/|\\\\Temp\\\\)"

)

·       Safety/approval toggles / “gateway” execution mode keywords in command lines

The published chain shows disabling approvals and switching execution modes (strings like approvals, ask:"off", tools.exec.host:"gateway"). These may appear in some deployments’ CLI args/log-driven process launches.

EventType = "Process"

AND ProcessCmd RegExp "(approvals|ask\\s*[:=]\\s*off|tools\\.exec\\.host|exec\\.approvals|gateway)"

AND ParentProcessName RegExp "(openclaw|moltbot|node|python)"

·       Suspicious file modifications likely tied to token/config changes

EventType = "File"

AND (

  FileFullName RegExp "(openclaw|moltbot)"

  OR FileFullName RegExp "(\\.openclaw|\\.moltbot|openclaw\\.json|config\\.json|settings\\.json)"

)

AND (

  FileModifyAt > "Feb 2, 2026 00:00:00"

  OR FileCreatedAt > "Feb 2, 2026 00:00:00"

)

·       Localhost WS pivot followed by a new outbound connection from OpenClaw service (2-step chain)

(collect suspicious hosts):

EventType = "Network"

AND (DstIP = "127.0.0.1" OR DstIP = "::1")

AND DstPort = 18789

AND ParentProcessName RegExp "(chrome|msedge|edge|firefox|safari|brave|opera)"

Step B (on those same hosts, same window):

EventType = "Network"

AND ParentProcessName RegExp "(openclaw|moltbot|node|python)"

AND NOT (DstIP = "127.0.0.1" OR DstIP = "::1")

Then pivot by AgentName and sort by time to see if Step B occurs right after Step A.

·       Detect “WS upgrade” + localhost in NetworkUrl (if URL telemetry includes it)

EventType = "Network"

AND NetworkUrl Contains "localhost"

AND (NetworkUrl Contains "ws://" OR NetworkUrl Contains "wss://")

Splunk

·       Proxy/Web logs: detect gatewayUrl injection

index=proxy OR index=web

| search uri_query="*gatewayUrl=*"

| stats count values(url) values(user) values(src_ip) by dest_host

·       Endpoint/network logs: browsers connecting to localhost OpenClaw WS port (example 18789)

index=netflow OR index=firewall

| search dest_ip="127.0.0.1" dest_port=18789

| stats count values(process) values(user) by host

References

·       hxxps://nvd.nist.gov/vuln/detail/CVE-2026-25253

·       hxxps://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq

·       hxxps://github.com/openclaw/openclaw/releases/tag/v2026.1.29

·       hxxps://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys

·       hxxps://thehackernews.com/2026/02/openclaw-bug-enables-one-click-remote.html

·       hxxps://www.securityweek.com/vulnerability-allows-hackers-to-hijack-openclaw-ai-assistant/