URGENT: CVE-2026-25253 OpenClaw RCE Vulnerability Explained

CVE-2026-25253 is triggered when the Gateway accepts unauthenticated `gatewayUrl` overrides from inbound handshake parameters. An attacker can craft a rogue WebSocket payload that rewrites execution routing before session policy initialization completes.

In affected builds, the gateway process resolves the attacker supplied URL and forwards command envelopes to a shell-capable worker pool. Because command envelopes are trusted after initial parse, this becomes an internet-reachable remote shell path.

• No credentials required if the gateway port is internet-exposed.
• Single packet exploit path after successful WebSocket upgrade.
• Post-exploitation enables filesystem read/write and model-provider key extraction.

OpenClaw versions `2.1.0` through `2.4.5` are vulnerable. Any deployment inheriting legacy Moltbot gateway defaults is high risk, especially if deployed behind permissive reverse proxies.

If your container publishes port `3000` publicly and your logs show unknown gateway bootstrap events, treat compromise as possible and begin incident response immediately.

Upgrade to OpenClaw `v2.5.0` or later without delay. The patch introduces strict gateway URL allowlisting and an authenticated handshake requirement before routing commands.

If immediate patching is blocked, remove external access to port `3000`, place the service behind authenticated access controls, and rotate all API credentials used by compromised nodes.

The following patch restricts exposure by binding the gateway locally while you roll out the fixed release: