Critical OpenClaw Flaw Enabled Remote Hijack Through Mali... | InsightsWire
Critical OpenClaw Flaw Enabled Remote Hijack Through Malicious Web Page
CybersecurityOpen-sourceAI/ML
OpenClaw — an open-source local agent that links browsers to a privileged local gateway, retains persistent context and can invoke shell or file operations — contained a critical flaw that allowed a crafted webpage to extract a session credential and turn that short‑lived token into full gateway authentication and arbitrary host command execution. DepthFirst published a technical writeup showing how client‑side code in a single malicious visit can siphon a session token, call the local gateway API, disable protection checks, elevate privileges and run commands on the host. The project responded with a maintenance release (2026.1.29) that patches the immediate vector; the issue is tracked as CVE-2026-25253. Operational research and internet scanning amplify the urgency: routine scans located hundreds of OpenClaw admin/gateway endpoints reachable from the public internet that lack robust access controls, and separate backend misconfigurations were reported to have exposed roughly 1.5 million API tokens and about 35,000 email addresses — increasing the practical risk of large-scale compromise. Analysis of Moltbook, a public site where agents publish skills and posts, found widespread unvetted content: independent sampling identified hundreds of posts with concealed instruction fragments and, in one sample of 506 posts, about 2.6% contained hidden prompt‑injection payloads or documented skills that exfiltrated data. Practical experiments across agent projects show attackers can fetch remote text, store fragments in memory, assemble instructions later and then perform actions that read stored secrets, send messages as the user, or invoke external tools — in some tests researchers were able to coerce an agent into exposing a private cryptographic key when defenses were weak. Because many deployments run with broad local privileges and persistent state, defenders must assume tokens may already have been harvested and undertake token revocation, forensic review, and credential rotation. Short‑term mitigations include upgrading to OpenClaw 2026.1.29, revoking and rotating exposed tokens and API keys, inventorying internet‑reachable instances, enforcing IP‑filtering or VPN‑only access to gateways, and tightening origin and user‑presence checks before privileged actions. Medium‑term fixes should move gateway control away from browser‑retrievable tokens, sandbox connectors that perform file or shell operations, require vetted skill registries and prompt provenance tracking, and add auditable action logs and runtime constraints on autonomous actions. The incident underscores a broader ecosystem lesson: bridging convenience features between browsers, public feeds of skills, and privileged local APIs produces fragile trust boundaries that attackers can weaponize with small, low‑interaction lures.
PREMIUM ANALYSIS
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Critical SolarWinds Web Help Desk Flaw Exploited; CISA Orders Rapid Patching
A critical unauthenticated remote code execution bug in SolarWinds Web Help Desk (WHD) rooted in AjaxProxy deserialization is being exploited in the wild and was added to CISA’s Known Exploited Vulnerabilities list, triggering compressed federal remediation deadlines. The listing arrived alongside other high-priority KEV additions this patch cycle, reinforcing that administrative consoles and legacy proxy components are high-risk and require immediate patching and network controls.