- Oasis security researchers find high-severity flaw in OpenClaw AI agent
- The exploit allowed malicious websites to brute-force local gateway authentication and gain full control.
- Vulnerability patched within 24 hours; Users are encouraged to update to version 2026.2.25 or later.
OpenClaw, the popular open source AI agent platform, was vulnerable to a high severity flaw that allowed threat actors to steal sensitive data from target computers with relative ease, experts warned.
The bug was discovered by Oasis security researchers and was fixed after responsible disclosure.
For those unfamiliar with OpenClaw, it is an artificial intelligence agent that users install on their computers and interact with through a web panel or terminal. The tool connects to calendars, messaging apps, and can reply to emails, set up calendar events, and more. It is currently one of the most popular AI projects, with more than 100,000 stars on GitHub.
Brute force the password
But the tool’s very design left a gaping security hole that Oasis says is relatively easy to exploit. It doesn’t require a third-party plugin, prior commitment or anything like that. All the victim needs to do is visit a malicious website.
“What we found is different. Our vulnerability lies in the core system itself: no plugins, no marketplace, no user-installed extensions, just the OpenClaw gateway, which runs exactly as documented,” the researchers explained.
Explaining how the bug works, Oasis says that OpenClaw runs a local WebSocket server that handles authentication and more. Nodes, such as companion applications and other machines, connect to the gateway, expose capabilities, execute system commands, and access the camera (among other things). The gateway can send commands to any connected node.
Authentication is handled using a token or password, and the gateway is bound to the localhost by default.
If a victim visits a malicious website, its JavaScript can open a WebSocket connection to the local host, easily brute-force the gateway password, and authenticate itself as a fully trusted device.
Once that happens, “the attacker is in full control,” Oasis concluded. “They can interact with the AI agent, dump configuration data, list connected devices, and read logs.”
A fix was deployed 24 hours after the initial disclosure and users are encouraged to upgrade their instances to version 2026.2.25 or later.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds. Be sure to click the Follow button!
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form and receive regular updates from us on WhatsApp also.
