PocketClawAI security alerts
Sign in
vulnerabilitycritical · CVSS 9.6exploited in wildpatched

CVE-2026-25253

OpenClaw — 1-click RCE via WebSocket origin bypass

Timeline
Disclosed2026-01-25Exploit observed2026-01-26Patch available2026-01-27Patched2026-05-03

Each rust dot is a disclosed event in this advisory's life: when it was published, when (if ever) a patch shipped, when exploitation was observed in the wild, and where things stand today (the dashed line). Ghosted dots are events that haven't happened yet.

Summary

OpenClaw's local dashboard accepts WebSocket connections without validating the Origin header. Any web page visited while OpenClaw is running can open the WebSocket and trigger tool execution. With default tools enabled, this is a full RCE.

Details

CVE IDCVE-2026-25253
Severitycritical (9.6)
CVSS vectorAV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Published2026-01-25
Patched2026-01-27
Affected versions≤ 2026.2.9
Fixed in2026.2.10
Exploited in the wildyes

Affected AI agents

OpenClaw
Are you running OpenClaw?Paste your docker-compose.yml or requirements.txt and we'll tell you in 10 seconds whether CVE-2026-25253 hits your stack.
Scan my AI stack →

What to do

  • If you run an affected version: upgrade to 2026.2.10 immediately. Do not delay this for convenience reasons.
  • Rotate any credentials that may have been exposed via the affected component.
  • Audit your logs for indicators of exploitation — unexpected outbound traffic, anomalous tool calls, unfamiliar authenticated sessions.
  • If exploitation is confirmed, treat the host as compromised: rebuild from a clean image, rotate every secret on the host, audit lateral movement.

Sources

Are you affected?

Type the version you have installed. We check it against ≤ 2026.2.9.

This is a best-effort check. When in doubt, upgrade to 2026.2.10.

Related AI CVEs

See also: all AI CVEs, AI agents tracker, scan your AI stack, Pro alerts, methodology.