OpenClaw vulnerability allows one-click remote code execution

A critical vulnerability has been identified in OpenClaw, allowing for one-click remote code execution via a malicious link. This high-severity flaw, tracked as CVE-2026-25253 with a CVSS score of 8.8, was addressed in the recent update to version 2026.1.29, released on January 30, 2026. The issue arises from the Control UI's failure to validate the gateway URL from the query string, leading to potential token exfiltration and full gateway compromise, as explained by OpenClaw's creator, Peter Steinberger.

The implications of this vulnerability highlight the importance of robust security measures in AI automation and agent workflows. Developers utilizing OpenClaw's API and SDK should review the release notes and implement the latest model updates to mitigate risks associated with this flaw. As the landscape of cybersecurity evolves, maintaining awareness of such vulnerabilities and their fixes is crucial for ensuring the integrity of integrations and developer tooling.