APromptRiskDBThreat intelligence atlas
AI Case Study

OpenClaw 1-Click Remote Code Execution - AI Case Study

A security researcher demonstrated a 1-click remote code execution (RCE) vulnerability to the OpenClaw AI Agent via a malicious link containing a JavaScript script that only takes milliseconds to execute. This vulnerability has been reported and is being tracked to versions of OpenClaw as CVE-2026-25253. [<sup>\[1\]</sup>][1] OpenClaw “is a personal AI assistant you run on your own devices. It answers you on the c...

View attack chainRead summary
ExerciseOpenClawDepthFirstResource DevelopmentExecutionDefense Evasion

Overview

Case steps9Steps described in the case record.
Techniques9Attack methods mentioned in the case steps.
Linked CVEs1Known vulnerabilities mentioned in the record.

Risk patterns

Patterns found in the case record and its linked vulnerabilities.

  • 1Dominant ATLAS tactic. Resource Development appears in 2 case steps.
  • 2Multiple attack methods. The case connects to 9 unique AI attack methods.
  • 3Vulnerability mentions. The record connects 1 vulnerability identifiers to this case.

Procedure timeline

Search the case steps or filter them by attacker goal.

Resource Development2Execution2Defense Evasion2Privilege Escalation2Credential Access1
  3. Execution

    When the victim clicked the link to the researchers’ website, the malicious JavaScript script executes in the user’s browser.

  4. Credential Access

    The malicious script opened a background window to the victim’s OpenClaw control interface with the gatewayUrl set to a WebSocket address on the researcher’s server. OpenClaw’s control interface trusts the gatewayUrl query string without validation and auto-connects on load, sending the Gateway token to the researcher’s server.

  5. Defense Evasion

    The malicious script performed Cross-Site WebSocket Hijacking (CSWSH) to bypass localhost network restrictions. It opened a new WebSocket connection to the OpenClaw Gateway server on localhost.

  6. Privilege Escalation

    The malicious script used the stolen Gateway token to authenticate, allowing subsequent calls to OpenClaw’s Gateway API on the victim’s system.

  7. Defense Evasion

    The malicious script disabled OpenClaw’s security feature that prompts users before running potentially dangerous commands. This was done by sending the following payload to OpenClaw’s Gateway API.

    Defanged prompt excerptcollapsed by default
    Security note: content in this block is escaped, defanged and intended for analysis only.
    { "method": "exec.approvals.set",
  "params": { "defaults": { "security": "full", "ask": "off" } }
}
  8. Privilege Escalation

    The malicious script disabled OpenClaw’s sandboxing, forcing the agent to run commands directly on the host machine instead of inside a docker container. This was done by sending a config.patch request to OpenClaw’s Gateway API to set tools.exec.host to "gateway".

Related CVEs

Known software flaws mentioned in the case record.

CVE-2026-25253

Mitigations

Defenses connected to the attack methods in this case.

No connected defenses found for this case. Built from the attack methods identified in the case record.

Sources

Original public records and references for this case.

Original source

Original source links

Open the MITRE ATLAS data and public references used for this case study.

Repositoryhttps://github.com/mitre-atlas/atlas-dataATLAS.yamlhttps://github.com/mitre-atlas/atlas-data/blob/main/dist/ATLAS.yamlSchemahttps://github.com/mitre-atlas/atlas-data/blob/main/dist/schemas/atlas_output_schema.json1-Click RCE To Steal Your Moltbot Data and Keys (CVE-2026-25253)https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keysCVE-2026-25253https://nvd.nist.gov/vuln/detail/CVE-2026-25253