A newly found security flaw in OpenClaw, a rapidly expanding open-source AI agent platform, poses serious risks. Discovered by Oasis Security experts, this zero-interaction vulnerability enables malicious websites to take over a developer’s AI agent without requiring any plugins or user actions.
OpenClaw, which has undergone several name changes from Clawdbot to MoltBot, has swiftly gained popularity, amassing over 100,000 stars on GitHub within just five days. It serves as a vital tool for numerous developers, operating as a personal assistant that integrates with messaging apps, development tools, and local systems on developer laptops.
Understanding the Attack Mechanics
The attack targets the OpenClaw system by exploiting its local WebSocket gateway, which connects various devices like macOS apps and iOS devices to the AI agent. This gateway facilitates commands and file access, making it a focal point for exploitation.
The attack process is straightforward: a developer simply visits a compromised website. JavaScript on the site then opens a WebSocket connection to the local OpenClaw gateway. Because browsers don’t restrict cross-origin requests to loopback addresses, the script can proceed with brute-forcing the gateway password.
Once the script gains access, it registers itself as a trusted device, gaining admin-level control without alerting the user. This flaw stems from assumptions about localhost trustworthiness and inadequate rate limiting for loopback addresses.
Implications of the Vulnerability
With complete access, attackers can manipulate the AI agent, retrieve sensitive data, and execute commands. This is akin to a full system compromise initiated quietly from a browser window.
Oasis Security’s proof-of-concept highlighted these vulnerabilities, showcasing the ease with which an attacker could breach the system from a regular web session.
Recommended Mitigation Strategies
Developers are urged to promptly upgrade to OpenClaw version 2026.2.25 or later. Additionally, they should audit all OpenClaw installations, especially those that may exist outside of IT oversight.
Revoking unnecessary credentials and enforcing strict governance over AI agent identities are critical steps in safeguarding systems. These measures should parallel the security rigor applied to human users and service accounts.
The OpenClaw team responded swiftly, releasing a patch within 24 hours. Despite this, organizations must act quickly to ensure all systems are updated, given the tool’s widespread use and the potential for unpatched instances.
Stay informed with our cybersecurity updates by following us on Google News, LinkedIn, and X. Reach out to us for more insights or to contribute your stories.
