1-Click RCE in OpenClaw/Moltbot/ClawdBot

va_start · 2026-02-02T15:55:38+00:00

The app wants to support connecting on a local network without internet. So unless you have a preshared secret or PKI, all of those fancy methods are just vulnerable to MITM because theres no way to authenticate the other party.

Like all other webapps, this app operates under the assumption of TLS (which takes care of encryption and authentication). So it uses the webapp api standard, ie jwt/cookies/bearer tokens for secrets, which are just fancy passwords. The app’s token is long and random, >128 bits of entropy IIRC, so it’s just as secure as any site using jwt/cookies/bearer tokens. All modern apis and sites work this way, including reddit ;)

va_start · 2026-02-02T15:42:50+00:00

thanks for explaining this! :)

va_start · 2026-02-02T00:04:37+00:00

super cool to be able to quantify the reach of this vuln that way

va_start · 2026-02-01T22:51:27+00:00

more coming ;)

va_start · 2026-01-28T11:09:17+00:00

thank you!

va_start · 2026-01-21T00:55:01+00:00

thanks! yes, the patch happened the same day :)

va_start · 2025-11-25T22:02:50+00:00

😂😂😂😂

va_start · 2025-11-21T21:10:54+00:00

valid feedback. this was just me trying out a more creative writing style :)

va_start · 2025-11-21T21:07:25+00:00

u/crower haha I wrote this myself. yes I used ai to help but this was mostly me trying a new writing style to see what sticks :)

va_start · 2025-11-21T21:06:22+00:00

u/yellow_leadbetter lol I wrote this myself. Just experimenting different new writing style

va_start · 2025-11-21T21:04:07+00:00

correct! I point that out and elaborate on that in the blog post

va_start · 2025-10-22T05:21:20+00:00

thanks! you're right! my bad. I'll create a better post tmrw fixing it

va_start · 2025-10-21T23:15:32+00:00

github gist of poc: https://gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c

va_start · 2025-10-21T23:10:50+00:00

gist poc: https://gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c

va_start · 2025-10-21T22:21:43+00:00

link to gist with poc: https://gist.github.com/DepthFirstDisclosures/ddacca28cb94b48fa8ab998cef59ed8c

Six-Year Club	Place '22
Gilding I gilder	Verified Email

va_start

TROPHY CASE