The Oasis Security Research Team has disclosed a critical vulnerability chain in OpenClaw that allows any website to silently take full control of a developer's AI agent — with no plugins, extensions, or user interaction required.
How the Attack Works
The exploit targets the core OpenClaw gateway through a four-step attack chain:
- Initial access — A developer visits an attacker-controlled website containing malicious JavaScript.
- WebSocket connection — The script opens a connection to localhost on the OpenClaw gateway port, bypassing cross-origin policies that protect HTTP requests.
- Password brute-forcing — The script attempts hundreds of password guesses per second. The gateway's rate limiter exempted localhost connections entirely, assuming local traffic was trusted.
- Device registration — Once authenticated, the script automatically registers as a trusted device without prompting the user.
What Attackers Could Do
Researchers demonstrated that a compromised agent could be instructed to search Slack history for API keys, read private messages, exfiltrate files, or execute arbitrary shell commands on paired nodes — effectively achieving full workstation compromise from a browser tab.
The Fix
The OpenClaw team released a patch in less than 24 hours after disclosure. Version 2026.2.25 and later include gateway auth origin checks and password-auth throttling that close this attack vector. All users should update immediately.
Why It Matters
This vulnerability is particularly concerning for organizations where OpenClaw runs on developer machines — often without IT department visibility. The flaw existed in the core system itself, not in any plugin or extension, meaning every default installation was potentially affected.
OpenClaw Launch users are protected — managed instances run in isolated Docker containers that are not accessible from a user's local browser, eliminating this localhost-based attack vector entirely.