OpenClaw is in the news again for another serious security issue. Security researchers from Oasis Security discovered a zero-interaction vulnerability that could allow a malicious website to silently take control of a developer’s AI agent.
Just visiting the harmful website is enough for this attack. It doesn’t require any plugin, browser extension, or user action.
OpenClaw is a self-hosted AI agent that runs locally on a developer’s machine. It was previously known as Clawdbot and MoltBot. Many developers use it as a personal AI assistant. It connects to Slack, calendars, development tools, and even the local file system. It can take actions on behalf of the user. That deep access is exactly why this flaw is so dangerous.
OpenClaw uses a local WebSocket gateway that binds to localhost. This gateway works as the central control layer. Different nodes, such as macOS apps, iPhones, or other devices, connect to it and expose capabilities like running system commands or reading files.
If a developer visits a malicious website, the site can run JavaScript in the browser. That script can open a WebSocket connection to the OpenClaw gateway running on localhost. Modern browsers do not block such connections.
From there, the script can start guessing the gateway password at high speed. The problem is that OpenClaw does not apply rate limiting for localhost connections. Failed attempts are not blocked or logged.
Once the password is guessed, the attacker can register as a trusted device. The gateway automatically approves pairings from localhost without asking the user. At that point, the attacker gets full administrative control over the AI agent.
After gaining access, the attacker can directly interact with the AI agent. They can ask it to search Slack history for API keys. They can read private messages. They can pull files from connected systems. They can even execute shell commands.
For a typical developer setup, this is almost equal to a full system compromise. And it all starts from a single browser tab. There is no warning shown to the victim.
Oasis Security demonstrated the full attack in a proof of concept. They were able to crack the gateway password and control a live agent instance from a normal browser session.
The issue happened because it assumes localhost traffic is always safe and browser traffic cannot reach local services. It also assumes that rate limiting is not needed for loopback connections. In modern browsers, none of these assumptions is true.
The OpenClaw team has classified this as high severity. They released a patched version within 24 hours, which is a strong response from an open source team. If you are using OpenClaw, update to version 2026.2.25 or later immediately. Organizations should also check all developer machines for OpenClaw installations. Many teams may not even know how widely it has been adopted.
It is also important to review API keys and tokens connected to the agent. Revoke anything that is not required. Treat AI agents like service accounts with full access. They need proper governance and monitoring.
