One-Click RCE Flaw Lets Attackers Hijack OpenClaw Gateways
OpenClaw faces a high-severity vulnerability (CVE-2026-25253, CVSS 8.8) that enables one-click remote code execution via a crafted malicious link by exfiltrating the gateway token through a cross-site WebSocket hijack, granting attacker control of the gateway API and the ability to run commands on the host; a fix is in version 2026.1.29 (Jan 30, 2026).