A flaw in the OpenClaw AI assistant’s local gateway allowed attackers to hijack agents by luring developers to malicious websites without installing extensions or requiring further user interaction. Because the WebSocket gateway bound to localhost exempted loopback from rate limiting and allowed cross-origin connections, browser JavaScript could brute-force passwords and gain admin control; OpenClaw was patched and users should upgrade to version 2026.2.25. #OpenClaw #OasisSecurity
Keypoints
- A vulnerability in OpenClaw’s local WebSocket gateway could let attackers hijack agents via malicious websites.
- No malicious extensions or additional user interaction were required to exploit the bug.
- Browsers allowed cross-origin WebSocket connections to localhost, enabling JavaScript to connect to the agent’s port.
- The gateway’s rate limiter exempted loopback connections, permitting high-speed brute-force password attacks and automatic device pairing.
- Successful compromise gives administrator access to exfiltrate data or execute commands; OpenClaw was patched within 24 hours—update to 2026.2.25.
Read More: https://www.securityweek.com/openclaw-vulnerability-allowed-malicious-websites-to-hijack-ai-agents/