WebSocket connections are not subject to the same-origin policy by default. A server that fails to check the Origin header on the upgrade handshake can be connected to by JavaScript on any website. CVE-2026-25253 exists because OpenClaw skipped this check.
Related terms
Found a definition that's wrong, dated or could be sharper? Email us — we update with attribution unless you'd rather we didn't.