- Oasis security researchers find a high-severity flaw in OpenClaw AI agent
- Exploit allowed malicious websites to brute-force local gateway authentication and gain full control
- Vulnerability patched within 24 hours; users urged to upgrade to version 2026.2.25 or later
OpenClaw, the vastly popular open source AI agent platform, was vulnerable to a high-severity flaw which allowed threat actors to steal sensitive data from target computers with relative ease, experts have warned.
The bug was discovered by security researchers Oasis, and was patched following responsible disclosure.
For those unfamiliar with OpenClaw, it is an AI agent that users install on their computers and interact with through a web dashboard or terminal. The tool connects to calendars, messaging apps, and can respond to emails, set up calendar events, and more. It is currently one of the most popular AI projects, with more than 100,000 stars on GitHub.
Brute forcing the password
But the very design of the tool left a gaping security hole which, according to Oasis, is relatively easy to exploit. It doesn’t require a third-party addon, previous compromise, or anything of sorts. All the victim needs to do is visit a malicious website.
“What we found is different. Our vulnerability lives in the core system itself—no plugins, no marketplace, no user-installed extensions —just the bare OpenClaw gateway, running exactly as documented,” the researchers explained.
Explaining how the bug works, Oasis says OpenClaw runs a local WebSocket server that handles authentication, and more. Nodes, such as companion apps and other machines, connect to the gateway, expose capabilities, run system commands, and access the camera (among other things). The gateway can dispatch commands to any connected node.
Authentication is handled either via a token or a password, and the gateway binds to localhost by default.
If a victim visits a malicious website, its JavaScript can open a WebSocket connection to localhost, brute-force the gateway password with ease, and authenticate as a fully trusted device.
Once that happens, “the attacker then has full control,” Oasis concluded. “They can interact with the AI agent, dump configuration data, enumerate connected devices, and read logs.”
A fix was deployed 24 hours after initial disclosure, and users are urged to upgrade their instances to version 2026.2.25 or later.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.
