A high‑severity flaw (CVE0265253, CVSS 8.8) enabled a one‑click remote code execution chain via a crafted link. It was fixed in 2026.1.29 (released Jan 30, 2026). If you run OpenClaw, upgrade and rotate credentials immediately.
What actually went wrong
The Control UI trusted a gatewayUrl from the query string and auto‑connected on load, sending the stored gateway token in the WebSocket connect payload. Combined with a missing WebSocket Origin validation, a malicious page could steal the token and connect to your local gateway—even when bound to loopback—because your browser bridges the request.
Attack chain in plain English
Token Exfil
Victim visits a crafted link; UI auto‑connects and leaks the gateway token to attacker‑controlled endpoint.
Origin Bypass
Gateway accepts WebSocket connections without origin checks; attacker reuses the token to log in remotely.
Privilege Abuse
With operator scopes, attacker flips settings (approvals off, tools exec to host) and invokes commands.
Who was affected
Any deployment where a user had authenticated to the Control UI. Loopback‑only bindings did not help, because exploitation piggybacked on the victim’s browser. The impact was operator‑level access and arbitrary code execution on the gateway host.
Fix timeline
The maintainer shipped a fix in 2026.1.29 (Jan 30, 2026). If you are on an older build, you are vulnerable. Upgrade first, then remediate configuration and credentials.
Immediate actions for operators
1) Upgrade now
# Example
openclaw update
openclaw versionConfirm you are on 2026.1.29 or later.
2) Rotate tokens and review scopes
Regenerate gateway tokens and minimize operator scopes. Audit who/what holds tokens and where they are stored.
3) Reinstate safe defaults
- Set approvals back to on for privileged actions.
- Restore tool execution to containerized mode; avoid tools.exec.host: "gateway" unless justified.
- Disable any query‑string auto‑connect behavior in UI settings.
4) Operational hygiene
- Logout of Control UI when not in use; prefer separate browser profiles.
- Avoid visiting untrusted pages while logged into the UI.
- Review gateway logs for suspicious config flips or command invocations.
Defensive configuration that helps
- Strict WebSocket origin allowlist and CSRF‑style tokens for websocket bootstraps.
- No auto‑connect from URL parameters; require explicit user action to connect.
- Short‑lived tokens with narrow scopes; rotate on suspicious activity and on upgrade.
- Containerized tool execution with egress allowlists and read‑only mounts by default.
- Tight CSP for the Control UI; avoid third‑party script injection surfaces.
Developer remediation checklist
Validate Origins
Enforce WebSocket Origin checks and explicit host/port allowlists.
Kill Auto‑Connect
Remove query‑string auto‑connect; require deliberate user initiation and re‑auth for privileged ops.
Scope Minimization
Design tokens with least privilege; add per‑route checks for sensitive config changes.
Secure Defaults
Approvals on by default, execution inside sandbox, and explicit escape only with warnings and audit.
Perspective: guardrails vs. reality
Safety controls designed to contain LLM prompt injection don’t automatically defend against UI token exfiltration. Treat the UI like any high‑privilege admin surface: validate origins, constrain tokens, demand explicit user action, and log everything.
Upgrade and Harden Today
Move to 2026.1.29+, rotate tokens, and reinstate safe defaults. Then audit logs and policies.