CVE-2026-25253 was patched in OpenClaw 2026.1.29. The vulnerability is no longer an active threat in patched environments. What Qualys published on April 13 is something more useful than a patch notice: a technical case study showing exactly how the unpatched vulnerability chains through common enterprise identity misconfigurations to create a full path from token leakage to domain controller compromise — and why any autonomous agent running on a host with weak Active Directory hygiene carries the same structural risk regardless of its patch status.

The vulnerability carried a CVSS base score of 8.8 and a Qualys Vulnerability Severity Score (QVSS) of 9.5 prior to the patch.

The Vulnerability

CVE-2026-25253 targets OpenClaw’s Control UI, which trusts the gatewayUrl parameter from the query string without validation. When the UI loads, it initiates a WebSocket connection and transmits a stored gateway token to whatever endpoint the parameter specifies. Versions prior to the patched release 2026.1.29 are affected.

The Qualys case study found the vulnerable clawdbot package on a Windows Server 2025 Datacenter EC2 instance. Microsoft Defender Vulnerability Management independently confirmed a related Node.js vulnerability (CVE-2025-55130, CVSS v3: 9.1) on the same host, providing dual-source confirmation that the OpenClaw installation was exploitable.

From Disk to Attack Surface

The presence of vulnerable software on disk is one risk category. The turning point, according to Qualys, came when External Attack Surface Management (EASM) scans revealed Node.js actively listening on TCP port 18792, OpenClaw’s default communication port. The agent was running, reachable, and exposed.

Qualys then correlated two identity misconfigurations on the same host:

  1. SID History injection path. Accounts retained SID History tied to non-existing domains, enabling impersonation of privileged identities.
  2. Missing Kerberos pre-authentication. Multiple accounts lacked pre-auth requirements, opening exposure to AS-REP Roasting attacks and credential compromise.

The Full Chain

The attack path Qualys documented reads: exploit CVE-2026-25253 to leak the OpenClaw gateway token from the Control UI. Use the token to gain access to the OpenClaw service via port 18792. Leverage SID History injection to escalate from user-level to a domain-privileged account. Dump credentials via AS-REP Roasting against accounts without Kerberos pre-auth. Achieve persistence, lateral movement, and eventually reach Domain Admin or Domain Controllers.

No single finding in isolation warranted escalation, Qualys noted: “A single vulnerability may not look urgent. A package name alone may not justify escalation. But when multiple signals are correlated, the picture changes.”

The Architectural Lesson

The case study positions Qualys ETM as the correlation layer, combining VMDR (endpoint scanning), EASM (exposure detection), and Identity telemetry into a unified risk view. That is a product pitch. The underlying lesson is vendor-agnostic.

Autonomous agents running on enterprise infrastructure do not stay sandboxed. They inherit the identity context of the host they run on. A vulnerable agent on a host with weak Active Directory hygiene is not a software bug. It is a lateral movement opportunity with a built-in token exfiltration primitive.

Security teams evaluating agent deployments need to answer three questions beyond “is this software approved”: Is it running? Is it reachable? And what identity context does its host provide to an attacker who gets in?

The CVE is patched in OpenClaw 2026.1.29. The identity misconfigurations it chains with are not.