One Click to “God Mode”: The Critical OpenClaw Flaw That Handed Attackers Your Master Keys
Do Son 
The open-source artificial intelligence utility OpenClaw (formerly recognized as Moltbot and ClawdBot) has garnered a vast user base due to its exceptional versatility; however, its burgeoning popularity has simultaneously unveiled several security vulnerabilities capable of compromising sensitive user data.
The security collective depthfirst recently disseminated a technical disclosure regarding a remediated high-severity flaw. By exploiting this vulnerability, an adversary could exfiltrate an OpenClaw instance token, thereby granting them absolute administrative control and the capacity to execute privileged maneuvers.
Following the discovery, researchers pursued a policy of responsible disclosure, leading to a definitive resolution in version v2026.1.29 and all subsequent iterations. Users tethered to v2026.1.28 or antecedent versions are urged to upgrade immediately. The crux of the vulnerability lies in the UI’s failure to validate or sanitize query strings within the gateway URL; upon initialization, the system automatically establishes a connection, inadvertently transmitting the stored gateway token within the WebSocket payload.
By inducing a target to engage with a meticulously crafted hyperlink or visit a deceptive phishing portal, an attacker can siphon the token to their clandestine server. This allows them to interface with the local gateway of the target instance, facilitating unauthorized configuration modifications.
The ultimate consequence of this exploit is Remote Code Execution (RCE), enabling the perpetrator to run arbitrary code on the exposed instance. Notably, this remains viable even on instances configured to listen exclusively on loopback addresses, as the victim’s browser initiates the outbound connection. The exploitation process is alarmingly seamless, requiring no further intervention from the user beyond the initial click. Many enthusiasts, in their quest for automation, grant OpenClaw extensive permissions—including SSH credentials—meaning that the broader the utility’s authority, the more perilous a compromise becomes.
Once a malicious actor seizes control of an OpenClaw instance, they can impersonate the user to harvest intelligence or orchestrate fraudulent schemes via integrated communication platforms. Security analysts persistently advocate for the principle of least privilege; granting an autonomous AI “God Mode” permissions effectively eliminates any margin for error in the event of a security breach.
Related Posts:
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
