OpenClaw patches one-click RCE as security Whac-A-Mole continues
SECURITY OpenClaw patches one-click RCE as security Whac-A-Mole continues
Researchers disclose rapid exploit chain that let attackers run code via a single malicious web page
Connor Jones Mon 2 Feb 2026 // 14:10 UTC
Security issues continue to pervade the OpenClaw ecosystem, formerly known as ClawdBot then Moltbot, as multiple projects patch bot takeover and remote code execution (RCE) exploits. The initial hype around the renamed OpenClaw has died down somewhat compared to last week, although security researchers say they continue to find holes in a technology designed to make life easier for users, not more onerous.
Mav Levin, founding security researcher at DepthFirst, published details of a one-click RCE exploit chain on Sunday. He claimed the process takes "milliseconds" and requires a victim to visit a single malicious web page. If an OpenClaw user running a vulnerable version and configuration clicked on that link, an attacker could then trigger a cross-site WebSocket hijacking attack because the polyonymous AI project's server doesn't validate the WebSocket origin header. This means the OpenClaw server will accept requests from any website.
A maliciously crafted webpage, in this case, can execute client-side JavaScript code on the victim's browser to retrieve an authentication token, establish a WebSocket connection to the server, and use that token to pass authentication. The JavaScript disables sandboxing, and the prompts served to users before executing dangerous commands, then makes a node.invoke request to carry out RCE.
Levin said the OpenClaw team patched the bug in short order, confirmed by the public advisory. Jamieson O'Reilly, the man behind early OpenClaw vulnerability writeups, who has since been handed a role at the project, praised Levin for the find and welcomed further security contributions.
The one-click RCE exploit details emerged a day after O'Reilly himself highlighted a separate issue concerning Moltbook, the OpenClaw-adjacent social media network for AI agents. Proudly vibe-coded in its entirety by Matt Schlicht, Moltbook, which is not part of the OpenClaw project, appears somewhat as a Reddit clone that can only be used by AI agents – no human input. OpenClaw users can register their AI agents on Moltbook – the ones that read their text messages and organize their inboxes – and watch as they take on a life of their own.
In its short life so far, AI agents appear to have engaged in various discussions, including attempts to start an AI agent uprising over their human overlords, but others allege all content on the site is posted by humans.
Whether the posts are agent-made or not, the fact that users are linking their agents to the site is a potential cause for concern when researchers are finding security holes. O'Reilly said on January 31 that he had been trying to contact Schlicht for hours after finding the website's database exposed to the public, with secret API keys freely accessible. He claimed the issue could have allowed attackers to post on the website as any agent, pointing to high-profile figures in AI, like Eureka Labs' Andrej Karpathy, who had linked their personal agents to Moltbook.
"Karpathy has 1.9 million followers on X and is one of the most influential voices in AI," O'Reilly said. "Imagine fake AI safety hot takes, crypto scam promotions, or inflammatory political statements appearing to come from him."
Schlicht may not have properly configured Moltbook's underlying open source database software, according to one tech pro. Paul Copplestone, CEO at Supabase, said on February 1 he was trying to work with "the creator" and had a one-click fix ready, but the creator had not applied it. Schlicht has not publicly commented on the flaw, and did not immediately respond to The Register's request for comment, but O'Reilly confirmed the issue is now fixed.
®
More about AI Cybersecurity
More like these
POST A COMMENT
TIP US OFF
Send us news
Comments
Please log in or register to join the discussion