OpenClaw AI Agent Faces Critical WebSocket Password Flaw, Patch Issued
Key Points
- Oasis researchers found a high‑severity flaw in OpenClaw’s core gateway.
- The vulnerability allows a malicious website to brute‑force the local gateway password via WebSocket.
- Successful exploitation grants full control over the AI agent and connected devices.
- No plugins or prior infection are needed; the attack works on the bare installation.
- A patch was released within 24 hours and is included in version 2026.2.25.
- Users are urged to upgrade and verify they are running the patched version.
- OpenClaw remains a highly popular open‑source AI project with over 100,000 GitHub stars.
Security researchers at Oasis uncovered a high‑severity vulnerability in the popular open‑source OpenClaw AI agent. The flaw lets a malicious website open a local WebSocket connection and brute‑force the gateway password, granting full control over the system. OpenClaw’s core gateway, which handles authentication for connected nodes, is exposed to localhost and can be compromised without any plugins or prior infection. A fix was released within 24 hours, and users are urged to upgrade to version 2026.2.25 or later.
Background
OpenClaw is an open‑source AI agent platform that users install on their computers and interact with through a web dashboard or terminal. The tool integrates with calendars, messaging apps, and can automate email handling and event scheduling. It has become one of the most widely recognized AI projects, attracting more than 100,000 stars on GitHub.
Vulnerability Details
Researchers from Oasis identified a critical flaw embedded in OpenClaw’s core gateway. The gateway runs a local WebSocket server that manages authentication for nodes such as companion apps and other machines. Authentication is performed via either a token or a password, and the service binds to localhost by default. Because the gateway is reachable from the local machine, a malicious website can execute JavaScript that opens a WebSocket connection to the gateway.
The malicious script can then attempt password guesses repeatedly, effectively brute‑forcing the gateway password. Once the correct password is discovered, the attacker is authenticated as a trusted device and gains unrestricted access to the AI agent’s functions.
Impact
Successful exploitation gives the attacker full control over the OpenClaw instance. The attacker can interact with the AI agent, dump configuration data, enumerate connected devices, read logs, and execute system commands. Because the vulnerability resides in the core system, no third‑party add‑ons, marketplace extensions, or prior compromise are required to carry out the attack.
Mitigation and Response
Oasis responsibly disclosed the issue to the OpenClaw maintainers, who developed a patch within 24 hours of the initial report. The fix was released in version 2026.2.25. Users are strongly encouraged to upgrade to this version or any later release to close the vulnerability.
OpenClaw’s developers have also issued guidance for users to verify that they are running the patched version and to monitor for any suspicious activity. The quick response demonstrates a proactive security posture in the open‑source community.
Conclusion
The discovery underscores the importance of securing local services that bind to localhost, especially when they expose authentication mechanisms. While the vulnerability presented a severe risk, the rapid patch and clear upgrade path help mitigate potential damage for the large user base of OpenClaw.