- Oasis security researchers find a serious flaw in the OpenClaw AI agent
- Exploitation allowed malicious websites to brute-force local gateway authentication and gain full control
- Vulnerability fixed within 24 hours; users are encouraged to upgrade to version 2026.2.25 or later
OpenClaw, the wildly popular open source AI agent platform, was vulnerable to a serious flaw that allowed threat actors to steal sensitive data from target computers with relative ease, experts have warned.
The flaw was discovered by security researchers Oasis and was fixed after responsible disclosure.
For those unfamiliar with OpenClaw, it is an AI agent that users install on their computers and interact with via a web dashboard or terminal. The tool connects to calendars, messaging apps and can respond to emails, set up calendar events and more. It is currently one of the most popular AI projects with more than 100,000 stars on GitHub.
Brute force the password
But the very design of the tool left a gaping security hole that Oasis says is relatively easy to exploit. It doesn’t require a third-party add-on, prior compromise, or anything like that. All the victim has to do is visit a malicious website.
“What we found is different. Our vulnerability lives in the core system itself — no plugins, no marketplace, no user-installed extensions — just the bare-bones OpenClaw gateway running exactly as documented,” the researchers explained.
Oasis explains how the bug works, saying that OpenClaw runs a local WebSocket server that handles authentication and more. Nodes, such as companion apps and other machines, connect to the gateway, expose functions, run system commands, and access the camera (among other things). The gateway can send commands to any connected node.
Authentication is handled via either a token or a password, and the gateway binds to localhost by default.
If a victim visits a malicious site, its JavaScript can open a WebSocket connection to localhost, brute-force the gateway password with ease, and authenticate as a fully trusted entity.
When that happens, “the attacker is then in full control,” Oasis concluded. “They can interact with the AI agent, dump configuration data, enumerate connected devices and read logs.”
A fix was implemented 24 hours after the initial publication, and users are encouraged to upgrade their instances to version 2026.2.25 or later.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds. Be sure to click the Follow button!
And of course you can too follow TechRadar on TikTok for news, reviews, video unboxings, and get regular updates from us on WhatsApp also.
