A recent report from Oasis Security reveals a vulnerability in the OpenClaw AI assistant that could allow attackers to hijack agents by enticing victims to visit malicious websites.
The exploitation of this bug does not require the installation of harmful extensions or any interaction from the user. Instead, it takes advantage of existing functionality within OpenClaw.
OpenClaw operates as a self-hosted AI agent, featuring a local WebSocket server that serves as a gateway. This gateway manages authentication, orchestrates the AI agent, oversees chat sessions, and stores configurations.
Devices and applications connect to the gateway as nodes, enabling them to access capabilities, execute commands, and expose certain functionalities. Authentication is conducted through tokens or passwords.
According to Oasis, “The gateway binds to localhost by default, based on the assumption that local access is inherently trusted. That assumption is where things break down.”
The cybersecurity firm found that if developers visited malicious websites, AI agents with the gateway bound to localhost and password protection could be hijacked. Since WebSocket connections to localhost are not restricted by the browser's cross-origin policies, JavaScript on a malicious site could initiate a connection using the agent's port.
This connection would allow an attacker to perform a brute-force attack on the password, as localhost connections bypassed the gateway’s rate limiter. Consequently, device pairings from localhost were automatically approved without any user prompt.
“The gateway’s rate limiter completely exempts loopback connections failed attempts are not counted, not throttled, and not logged. In our lab testing, we achieved a sustained rate of hundreds of password guesses per second from browser JavaScript alone. At that speed, a list of common passwords can be exhausted in under a second, while a larger dictionary would take only minutes,” Oasis reported.
Once an attacker successfully guesses the password, they gain an authenticated session with administrator privileges, allowing them to take full control of OpenClaw. This access could enable the attacker to interact with the agent, extract configurations, enumerate nodes, and access logs.
“In practice, this means an attacker could instruct the agent to search the developer’s Slack history for API keys, read private messages, exfiltrate files from connected devices, or execute arbitrary shell commands on any paired node. For a developer with typical OpenClaw integrations, this is equivalent to a complete workstation compromise initiated from a browser tab,” Oasis stated.
The OpenClaw security team responded swiftly, addressing the vulnerability within 24 hours of receiving the report from Oasis and classifying it as a high-severity issue. Users are encouraged to update to OpenClaw version 2026.2.25 or later to ensure their security.
