CVE-2026-25593
📋 TL;DR
OpenClaw personal AI assistant versions before 2026.1.20 contain a command injection vulnerability. Unauthenticated local clients can exploit the Gateway WebSocket API to inject malicious commands that execute with gateway user privileges. This affects all OpenClaw installations running vulnerable versions.
💻 Affected Systems
- OpenClaw
📦 What is this software?
Openclaw by Openclaw
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise via remote code execution, allowing attackers to install malware, exfiltrate data, or pivot to other systems.
Likely Case
Local privilege escalation leading to unauthorized access to sensitive files, configuration manipulation, or lateral movement within the network.
If Mitigated
Limited impact if proper network segmentation and least privilege principles are implemented, restricting the gateway user's capabilities.
🎯 Exploit Status
Exploitation requires local access but no authentication, making it relatively simple for attackers with local system access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2026.1.20
Vendor Advisory: https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg
Restart Required: Yes
Instructions:
1. Stop OpenClaw service. 2. Update to version 2026.1.20 via package manager or manual installation. 3. Restart OpenClaw service. 4. Verify the update was successful.
🔧 Temporary Workarounds
Disable Gateway WebSocket API
allTemporarily disable the vulnerable WebSocket API endpoint until patching is possible
Edit OpenClaw configuration file and set 'gateway.websocket.enabled = false'
Restart OpenClaw service
Restrict local access
allImplement network controls to restrict which systems can access the OpenClaw Gateway API
Configure firewall rules to limit connections to trusted IPs only
Use network segmentation to isolate OpenClaw instances
🧯 If You Can't Patch
- Implement strict network segmentation to isolate OpenClaw instances from critical systems
- Apply principle of least privilege to the gateway user account to limit potential damage
🔍 How to Verify
Check if Vulnerable:
Check OpenClaw version: if version is less than 2026.1.20, the system is vulnerableCheck Version:
openclaw --versionVerify Fix Applied:
Confirm OpenClaw version is 2026.1.20 or higher and test that config.apply no longer accepts unsafe cliPath values📡 Detection & Monitoring
Log Indicators:
- Unusual WebSocket connections to Gateway API
- config.apply operations with suspicious cliPath values
- Unexpected command execution by gateway user
Network Indicators:
- WebSocket traffic to OpenClaw Gateway API from unauthorized sources
- Unusual outbound connections from OpenClaw process
SIEM Query:
source="openclaw.log" AND ("config.apply" OR "cliPath") AND NOT user="authorized_user"