CVE-2026-25253

HIGH

Exploit for Incorrect Resource Transfer Between Spheres in Openclaw

Details

CVSS v3: 8.8
NVD published: 2026-02-01 23:15:49
EPSS: <0.1% probability · 25.9th percentile — 2026-04-17
Affected versions: cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Summary: OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value.
Remediation: Not available in our cache.
Exploit info: https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys https://ethiack.com/news/blog/one-click-rce-moltbot https://x.com/0xacb/status/2016913750557651228

TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.

Subscribe — free email digest or paid plan

Information is aggregated from multiple authoritative sources for convenience; verify with NVD and vendors before operational decisions.