When one malicious link grants full control
WebSocket token leakage and CSRF-like vulnerabilities allow attackers to hijack your OpenClaw session by luring you to a malicious webpage.
Gateway authentication bypass is a critical vulnerability where attackers can steal authentication tokens or hijack sessions without needing your credentials. In the context of OpenClaw, this specifically refers to vulnerabilities in the Gateway Control UI's WebSocket connection logic.
A malicious webpage can abuse the WebSocket connection to steal the bot's auth token and then issue commands—all triggered by simply visiting a crafted URL. This is particularly dangerous because:
- It works even for bots not directly exposed to the internet - It can pivot through the user's browser to reach localhost instances - The attack requires no stolen credentials - A single click or page visit is enough to compromise the system
This type of attack combines elements of Cross-Site WebSocket Hijacking and CSRF to achieve remote code execution on the host running OpenClaw.
A malicious webpage connects to the victim's local OpenClaw WebSocket endpoint (since origin checks were not enforced in vulnerable versions).
The attacker's page extracts the session token from the WebSocket connection or manipulates the gatewayUrl parameter to redirect authentication.
With the stolen token, the attacker opens their own session to the OpenClaw gateway.
The attacker uses the hijacked session to execute arbitrary "tool" commands on the bot, achieving RCE on the host system.
The entire attack chain is triggered when the victim visits a malicious URL—no interaction required beyond the initial click.
In January 2026, researchers from Ethiack used an AI-powered pentesting agent ("Hackian") against a default OpenClaw instance and uncovered a critical vulnerability:
1. They found the OpenClaw dashboard allowed a gatewayUrl parameter in requests 2. By luring a victim (the OpenClaw operator) to a malicious webpage, that page could silently connect the victim's browser to the local OpenClaw WebSocket 3. The page extracted the session token since origin checks were not enforced 4. With the token, they opened an attacker-controlled session 5. They executed arbitrary shell commands on the victim's system
The researchers demonstrated full account takeover and remote code execution—the entire attack worked even against localhost-only instances by pivoting through the user's browser.
The vulnerability was disclosed and patched within two days, but it highlighted how traditional web security gaps can turn AI agent deployments into attack vectors.
When you self-host your OpenClaw, you're responsible for addressing these risks:
Clawctl includes built-in protection against auth bypass:
All WebSocket connections are validated against allowed origins. Cross-site requests are blocked.
Authentication tokens are never exposed to client-side code. They are injected server-side only.
All state-changing requests require valid CSRF tokens that cannot be forged by external sites.
Vulnerabilities like this are patched immediately in our infrastructure. You are protected automatically.
Anomalous session patterns (multiple IPs, unusual timing) trigger automatic session termination.
Whether you use Clawctl or not, follow these best practices:
Clawctl includes enterprise-grade protection against this threat and many others. Deploy your OpenClaw securely in 60 seconds.