—–BEGIN PGP SIGNED MESSAGE—–

Hash: SHA256

Remote Code Execution Vulnerability in OpenClaw AI framework

Indian – Computer Emergency Response Team (https://www.cert-in.org.in)

Severity Rating: HIGH

Software Affected

OpenClaw versions prior to 2026.1.29

Overview

A vulnerability has been reported in OpenClaw AI framework which could allow a remote attacker to execute remote code on the targeted system.

Target Audience:

Individuals and organizations using OpenClaw AI.

Risk Assessment:

High risk of remote code execution.

Impact Assessment:

Potential for data theft, system compromise.

Description

OpenClaw is an open-source autonomous artificial intelligence (AI) personal assistant that runs locally on user devices and integrates with various messaging platforms.

A vulnerability exists in the OpenClaw AI framework. This flaw allows a remote, unauthenticated attacker to achieve one-click remote code execution by exfiltrating authentication tokens exposed through an improperly validated WebSocket connection.

Successful exploitation of this vulnerability may allow a remote attacker to execute arbitrary code on the targeted system.

Solution

 

https://gbhackers.com/15200-openclaw-control-panels-exposed

References

Gb hackers

https://gbhackers.com/15200-openclaw-control-panels-exposed

The Hacker news

https://thehackernews.com/2026/02/openclaw-bug-enables-one-click-remote.html

CVE Name

CVE-2026-25253

– —

Thanks and Regards,

CERT-In

Incident Response Help Desk

e-mail: incident@cert-in.org.in

Phone: +91-11-22902657

Toll Free Number: 1800-11-4949

Toll Free Fax : 1800-11-6969

Web: http://www.cert-in.org.in

PGP Fingerprint: A768 083E 4475 5725 B81A A379 2156 C0C0 B620 D0B4

PGP Key information:

https://www.cert-in.org.in/s2cMainServlet?pageid=CONTACTUS

Postal address:

Indian Computer Emergency Response Team (CERT-In)

Ministry of Electronics and Information Technology

Government of India

Electronics Niketan

6, C.G.O. Complex

New Delhi-110 003

—–BEGIN PGP SIGNATURE—–

iQIzBAEBCAAdFiEE6r4Iam/Ey0c/KakL3jCgcSdcys8FAmmPP8EACgkQ3jCgcSdc

ys8gXA//WCaVOgwFWXxFSvZTFerOKRXY06GBGkaTDwn4JzUhUfW8kmKNR2Lx+kRp

IgxZ1MtQFrEons4er+iHaaoZU91nJjKP7sIy3tEiiq08TpON1qN54C2QLWjSEhBJ

pZl96kAAqu6CtAjRdmpqvRD0wGIRy/IspQlCvDFpIkXHGacjYnpNdsAKoIQrZAXB

BJoVDrNhog1mcjRQB8XM1BK7//w8wlYqkEnTdlLa3Xp2BxtbVH2YZX06c6pmdlDf

uoN2dvk+y6g9wV3rMWCjePBwgfmQhBL4atnd1TUtToq5eB8xWaWyXFLyin33x7th

cv1OjKDoDr0ty140nt8+s6ZDUbeSTQZTulaRHgivL8DRo8wdZQs5tTG+d0ud64mU

Tcnralkycr5mFKqAjwzajUwrvRY61Z/AVT4i5PfaDQMd/l8RIuWyx4b7yx3bSmiH

R9v13Amnk+aK/5K0HaD01vrF9RM4UcyfjXTqZXRSwY5xKflvRs+32mQlD3qTd2O8

2N0PuV3gT0/Skb2tPlikrV4W5wmQMeDft+HfTskGPM14eDiXfa1unBeCteorGmO0

JOz5wNixC9eSRjpUDoJ6drYq6SfE7n+cW6Aal81/oSi7gIwgDAZ1fIe8qq3AcJbI

TpY3rOmYLFrUROX+vwqAGEjlqJi4tSbqvjLZDSESrg+p0aWWd8Q=

=8dVi

—–END PGP SIGNATURE—–