Trending
Digital IT News
OpenClaw

Oasis Security Uncovers Critical OpenClaw Vulnerability

0
By on AI, News, Security
Oasis Security published new threat research detailing a vulnerability chain in OpenClaw that enables any website to covertly seize full control of a developer’s AI agent—without requiring plugins, extensions, or any user interaction.

OpenClaw, the open-source AI agent that rocketed to over 100,000 GitHub stars in five days, has become the default personal assistant for thousands of developers. It runs on their laptops, connects to their messaging apps, calendars, and dev tools, and takes autonomous actions on their behalf. It has also been trivially vulnerable to hijacking from any website the developer visits.

The Rise of OpenClaw
OpenClaw is a self-hosted AI agent that recently took the developer world by storm, becoming one of the fastest-growing open-source projects in history. Users interact with OpenClaw through a web dashboard or terminal, allowing it to autonomously send messages, run commands, manage workflows across platforms, and even form an emergent AI social network.

The Vulnerability
The vulnerability the Oasis Security Research Team discovered lives in the core system itself—no plugins, no marketplace, no user-installed extensions—just the bare OpenClaw gateway, running exactly as documented.

Here’s the scenario: A developer has OpenClaw running on their laptop, with the gateway bound to localhost, protected by a password. They’re browsing the web and accidentally land on a malicious website. That’s all it takes.

The full attack chain works as follows:

  1. The victim visits any attacker-controlled (or compromised) website in their normal browser.
  2. JavaScript on the page opens a WebSocket connection to localhost on the OpenClaw gateway port (permitted because WebSocket connections to localhost are not blocked by cross-origin policies).
  3. The script brute-forces the gateway password at hundreds of attempts per second. The gateway’s rate limiter exempts localhost connections entirely.
  4. Once authenticated, the script silently registers as a trusted device. The gateway auto-approves device pairings from localhost with no user prompt.
  5. The attacker then has full control. They can interact with the AI agent, dump configuration data, enumerate connected devices, and read logs.

This means an attacker could instruct the agent to search the developer’s Slack history for API keys, read private messages, exfiltrate files from connected devices, or execute arbitrary shell commands on any paired node. For a developer with typical OpenClaw integrations, this is equivalent to full workstation compromise, initiated from a browser tab.

The Oasis Security Research Team demonstrated this end-to-end: From a browser on an unrelated website, its proof-of-concept guessed the gateway password, connected with full permissions, and successfully interacted with the user’s AI agent, all without the user seeing any indication that anything had happened.

What Organizations Should Do
The rapid adoption of tools like OpenClaw means many organizations already have instances running on developer machines, often without IT’s knowledge. Here are recommended steps to take:

  1. Gain visibility into AI tooling. You can’t secure what you can’t see. Inventory which AI agents and assistants are running across your developer fleet. OpenClaw instances, local LLM servers, and similar tools represent a growing blind spot.
  2. Review the access granted to AI agents. OpenClaw agents can hold API keys for AI providers, connect to messaging platforms, and execute system commands on connected devices. Audit what credentials and capabilities each instance has been granted, and revoke anything that isn’t actively needed.
  3. Establish governance for non-human identities. AI agents are a new class of identity in your organization – they authenticate, hold credentials, and take autonomous actions. They need to be governed with the same rigor as human users and service accounts. This means intent analysis (understanding what an agent action is trying to do before it happens), policy enforcement (deterministic guardrails that block dangerous actions and require human approval for sensitive operations), just-in-time access (short-lived, per-session, scoped only to the required task), and a full audit trail from human to agent to action to result. This is the problem that Oasis Security’s Agentic Access Management platform was purpose-built to solve.

As AI agents become standard tools in every developer’s workflow, the question isn’t whether to adopt them, it’s whether organizations can govern them.

“Prompt injection and agent hijacking cases are persistent threats in this era of broad AI adoption,” said Elad Luz, Head of Research at Oasis Security. “Managing the scope of AI agents’ access is a critical governance step organizations must take to reduce the blast radius and manage risk.”

If you or your team run OpenClaw, update to version 2026.2.25 or later immediately.

Responsible Disclosure and Fix
Oasis Security reported this vulnerability to the OpenClaw security team with full technical details, root cause analysis, and proof-of-concept code. The team classified it as high severity and pushed a fix in less than 24 hours, an impressive response time, especially for a volunteer-driven open-source project.

Read the Oasis Security Research Team’s blog OpenClaw Vulnerability: Website-to-Local Agent Takeover for more information here.

Related News:

Oasis Security and Sequoia Launch AAM Framework for AI Governance

Oasis Security Debuts NHI Management Fundamentals Certification

Share.

About Author

Taylor Graham, marketing grad with an inner nature to be a perpetual researchist, currently all things IT. Personally and professionally, Taylor is one to know with her tenacity and encouraging spirit. When not working you can find her spending time with friends and family.

Related Posts