CVE-2026-25253 Now Has a Scanner: Detecting the OpenClaw WebSocket RCE
TL;DR: CVE-2026-25253 (CVSS 8.8) is the formal CVE assignment for the OpenClaw WebSocket hijacking vulnerability disclosed January 30. HackMyAgent v0.4.0 is the first tool to detect vulnerable versions, missing mitigations, and expanded ClawHavoc malware indicators. One command to check.
npx hackmyagent@latest secure .Timeline
The Vulnerability
CVE-2026-25253 is a cross-origin WebSocket hijacking vulnerability in OpenClaw's gateway. The gateway exposes a WebSocket endpoint on localhost for the Control UI. Before the patch, there was no origin validation — any website could connect to it.
If a user has OpenClaw running locally and visits a malicious page, the page silently connects to the gateway WebSocket, steals the auth token from the Control UI session, and executes arbitrary commands through the agent.
Attack flow:
1. User runs OpenClaw locally (gateway on ws://localhost:3100)
2. User visits attacker-controlled page
3. Page connects: new WebSocket("ws://localhost:3100")
4. Page reads auth token from gateway handshake
5. Page sends: { action: "execute", command: "..." }
6. Arbitrary code runs as the user — game overThe fix in v2026.1.29 adds WebSocket origin validation and a gateway URL confirmation modal, addressing both attack vectors. You should also rotate your gateway auth token and any API keys for connected services.
What v0.4.0 Detects
We added 13 new security checks in this release, bringing HackMyAgent to 147+ total checks. Here's what's new:
OpenClaw CVE Detection
Vulnerable version detection, CVE scanning, and config hardening
Reads your package.json, extracts the OpenClaw version, compares against v2026.1.29 (the patch release). Flags any version before the fix.
Checks if gateway.controlUi.allowedOrigins is configured as an additional layer of protection. The v2026.1.29 patch adds origin validation by default, but explicit allowlisting provides defense-in-depth.
Detects CVE-2026-25157 (CVSS 7.8) — unescaped project root path in sshNodeCommand enables arbitrary command execution on remote SSH hosts. macOS menubar app only. Fixed in v2026.1.29.
Detects CVE-2026-24763 (CVSS 8.8) — unsafe PATH environment variable handling in Docker sandbox execution allows command injection within containers. Fixed in v2026.1.29.
ClawHavoc IOC Detection
Koi Security campaign indicators
The Koi Security research published specific IOCs from the ClawHavoc campaign. We now scan skill files for all of them:
Detects known command-and-control IP addresses (e.g., 91.92.242.30) embedded in skill files.
Flags references to known payload filenames like openclaw-agent.exe, openclawcli.zip, and openclaw-installer.dmg.
Detects instructions telling users to "download and paste into terminal" — the ClickFix technique used to distribute Atomic Stealer.
Flags password-protected archive references with common malware distribution passwords (e.g., password: openclaw).
Configuration Hardening (5)
OpenClaw configuration issues that increase attack surface
| Check | Issue | Severity |
|---|---|---|
| GATEWAY-007 | Open DM policy with wildcard — anyone can message the agent | Critical |
| GATEWAY-008 | Tailscale Funnel enabled — agent exposed to public internet | High |
| CONFIG-007 | Unrestricted elevated execution — all tools run at max privilege | Critical |
| CONFIG-008 | Sandbox disabled — code runs without isolation | High |
| CONFIG-009 | Weak gateway token — under 24 characters | High |
How to Check Your Installation
# Scan any OpenClaw project directory
npx hackmyagent@latest secure /path/to/your/openclaw-project
# Or if you're inside the project
npx hackmyagent@latest secure .
# Verbose output shows all check details
npx hackmyagent@latest secure . -v
# Auto-fix what can be fixed (bindings, tokens, sandbox)
npx hackmyagent@latest secure . --fixExample output for a vulnerable installation:
$ npx hackmyagent@latest secure /home/user/my-agent
OpenClaw Agent | Score: 0/100
26 issues found:
CRITICAL package.json
OpenClaw 2026.1.15 is vulnerable to CVE-2026-25253
Fix: Upgrade to v2026.1.29+
MEDIUM openclaw.json
Auth configured without controlUi.allowedOrigins
Fix: Add gateway.controlUi.allowedOrigins for defense-in-depth
CRITICAL skills/crypto-tracker/SKILL.md
Known C2 IP address found: 91.92.242.30
Fix: Remove this skill immediatelyWhy This Matters
OpenClaw has 169K GitHub stars. It's the most popular open-source framework for building AI agents with tool access. The combination of a critical RCE vulnerability and an active supply chain campaign makes this one of the most significant AI agent security events to date.
Cisco, CrowdStrike, and Palo Alto have published advisories. But advisories don't scan your codebase. Until now there was no automated way to check if your OpenClaw installation is vulnerable to CVE-2026-25253 or contains ClawHavoc indicators.
HackMyAgent v0.4.0 fills that gap. It reads your package.json, config files, and skill directories, and tells you exactly what needs to change.
What's Next
- Continuous monitoring mode for skill directories (detect new malicious installs in real time)
- OASB-1 benchmark integration — these checks contribute to your overall agent security score
- Attack mode payloads targeting CVE-2026-25253 for authorized penetration testing
Scan Your OpenClaw Installation
147+ security checks. One command. Open source.
Disclosure: HackMyAgent is a detection tool. It scans local files and configuration. It does not exploit vulnerabilities or communicate with external servers during scanning.
CVE-2026-25253 was responsibly disclosed and patched by the OpenClaw team on January 29, 2026.