OpenClaw Gateway faces scrutiny after CVE disclosures

Hours

What to Know:

  • OpenClaw CVE-2026-25253 leaks auth tokens via gatewayUrl; pre-2026.1.29 vulnerable.
  • CVE-2026-26322 SSRF coerces outbound WebSocket connections to sensitive endpoints.
OpenClaw Gateway CVEs and ClawJacked risks: Impact

OpenClaw Gateway has a high-risk vulnerability impacting local agents and connected services. According to Barrack.ai (https://blog.barrack.ai/openclaw-security-vulnerabilities-2026/?utmsource=openai), CVE-2026-25253 enables a malicious web page to exfiltrate the Gateway’s authentication token via the gatewayUrl parameter, granting execution privileges; versions prior to 2026.1.29 are affected. Infosecurity Magazine (https://www.infosecurity-magazine.com/news/researchers-six-new-openclaw/?utmsource=openai) reports CVE-2026-26322 is a high-severity SSRF that can coerce outbound WebSocket connections to arbitrary, potentially sensitive endpoints.

Researchers have also detailed a “ClawJacked” path in which a hostile site can seize a developer’s local agent over localhost. The Oasis Security Research Team (https://www.prnewswire.com/news-releases/oasis-security-research-team-discovers-critical-vulnerability-in-openclaw-302698939.html?utm_source=openai) found that the chain can include rapid password brute‑forcing and silent device pairing, even when the service is bound to 127.0.0.1.

Exposure appears widespread. Metomic (https://www.metomic.io/resource-centre/ciso-briefing-openclaw-risk-landscape-and-hardening-priorities?utm_source=openai) reported more than 42,000 publicly reachable OpenClaw instances, including cases with persistent OAuth tokens and conversation histories viewable without authentication.

Risk is compounded by unsafe extensions. The Hacker News (https://thehackernews.com/2026/02/openclaw-integrates-virustotal-scanning.html?utm_source=openai) noted that marketplace skills in some cases are not sandboxed and can execute with full system privileges once installed.

Enterprise posture is shifting as well. Wired (https://www.wired.com/story/openclaw-banned-by-tech-companies-as-security-concerns-mount?utm_source=openai) reported that a Meta executive asked teams to avoid running OpenClaw on standard work laptops due to unpredictability and privacy risks.

Why it matters now and immediate actions to take

The combined issues raise material risks of account takeover, data exfiltration, and lateral movement. Patching helps, but configuration and environment controls determine real-world exposure.

Isolate the Gateway in a dedicated VM, bind services to 127.0.0.1, front with an authenticated reverse proxy, restrict egress, and rotate least‑privileged credentials. Disable auto‑install of marketplace skills, vet code‑signed packages where available, and monitor for unusual WebSocket destinations.

Enterprise teams should treat the Gateway like untrusted code near sensitive secrets and networks. Microsoft’s security researchers (https://www.techradar.com/pro/security/microsoft-says-openclaw-is-unsuited-to-run-on-standard-personal-or-enterprise-workstation-so-should-you-be-worried?utm_source=openai) recommend isolated execution, strict credential hygiene, and XDR monitoring; as they put it, “OpenClaw should be treated as untrusted code execution when run with persistent credentials.”

Where central zero‑trust dashboards have limited reach over local tunnels, compensating controls are necessary. Validate that the Gateway is not bound to 0.0.0.0, place it behind authentication, review logs for unexpected localhost access and outbound sockets, and revoke and reissue tokens after suspected exposure.

At the time of this writing, market data are delayed; however, Simply Wall St (https://finance.yahoo.com/news/cloudflare-net-valuation-check-strong-101000897.html?utm_source=openai) noted Cloudflare’s Q4 2025 revenue up 34% year over year, with a 1‑day share price decline of 1.4%, a 90‑day decline of 12.7%, and a 1‑year total shareholder return of 18.5%. This context underscores ongoing investor focus on AI and cybersecurity infrastructure while sentiment fluctuates.

ClawJacked localhost hijack: how malicious sites seize agents

In the documented flow, a user visits a malicious site while a local agent is running. The site issues cross‑origin requests to localhost, probes the Gateway, and attempts password guessing against the local interface.

If the password is weak or rate‑limited poorly, the attacker pairs a rogue client silently. With the token or session in hand, the attacker sends agent instructions, pivots through installed skills, and reaches APIs or internal services.

The same design weaknesses enable token leakage and SSRF. Combined, they can expose cloud keys, private endpoints via forced WebSocket connections, and sensitive chat history.

Disclaimer: The information on this website is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency markets are volatile, and investing involves risk. Always do your own research and consult a financial advisor.
Avatar of Thane Morrison

Thane Morrison is a diligent crypto news author and keen blockchain and digital finance enthusiast. He writes insightfully correct engaging content on Bitcoin, altcoins, DeFi, and NFTs to help readers understand how this relentless, changing world works. Simplification and empowerment are what he really stands for and enables readers to keep their heads in the game when making vital decisions in such a demanding space.

Similar Posts