A high-severity security vulnerability has been disclosed in clawdbot, an npm package used by the Moltbot AI automation platform, according to a recent GitHub Security Advisory. The issue allows attackers to achieve remote code execution (RCE) with a single click by exploiting how the platform’s control interface handles authentication tokens.
Moltbot is a locally run AI automation tool that uses a gateway and web-based Control UI to manage tasks and integrations. The clawdbot package provides the gateway and control components that enable this functionality.
Moltbot supports modular extensions known as skills, which allow the system to perform additional actions and interact with external services. Because the gateway operates with elevated access to local resources, vulnerabilities in clawdbot can have direct system-level impact.
The vulnerability affects clawdbot versions up to v2026.1.28.
According to the advisory, the Control UI in clawdbot trusted a gatewayUrl value supplied through the browser query string without validation. On page load, the interface would automatically connect to that URL and include a stored authentication token in the WebSocket connection payload.
An attacker could exploit this behavior by sending a victim a crafted link or directing them to a malicious website. When opened, the victim’s browser would initiate a connection to an attacker-controlled server and transmit the authentication token.
With the token, the attacker could connect to the victim’s local Moltbot gateway and perform privileged actions, including modifying configuration settings related to sandboxing and tool policies, as well as invoking arbitrary commands. This results in operator-level access and remote code execution.
The advisory notes that the exploit remains effective even when the gateway is configured to listen only on the loopback interface, since the outbound connection is initiated by the victim’s browser.
Users should update to clawdbot v2026.1.29 or later to mitigate the issue.
The patched release requires users to explicitly confirm new gateway URLs in the interface before a connection is established, preventing automatic token transmission.
Visit the Github advisory post for more technical and security information.
Leave a Reply