OpenClaw 0-Click Vulnerability Lets Malicious Sites Hijack AI Agents
3 min. read 
Published on
A critical zero-click vulnerability in OpenClaw exposes developers to attacks from any malicious website. It allows silent takeover of the AI agent framework without user action, plugins, or extensions. Oasis Security researchers uncovered this flaw in one of the fastest-growing open-source tools.
OpenClaw runs locally on developer laptops. It connects to messaging apps, calendars, development tools, and local files. Thousands of developers use it as a personal assistant. The tool gained over 100,000 GitHub stars in five days after rebranding from Clawdbot and MoltBot.
This vulnerability proves dangerous due to OpenClaw’s broad access. Attackers can steal data or run commands with no visible signs. Modern browsers enable the exploit through localhost WebSocket connections. Developers must act fast to protect their systems.
How the Attack Unfolds
OpenClaw uses a local WebSocket gateway on localhost for orchestration. Nodes like macOS apps or iOS devices register and share capabilities such as file access and command execution. The attack starts when a developer visits a bad site.
JavaScript on the site connects to the gateway. Browsers allow cross-origin WebSocket to loopback addresses. The script then brute-forces the gateway password at high speed. Rate limiting skips localhost traffic, so no blocks or logs occur.
Once in, the script registers as a trusted device. Gateways auto-approve localhost pairings. Attackers gain admin control over the agent. They can search Slack for API keys, read messages, steal files, or run shell commands.
Oasis Security’s proof-of-concept shows the full chain. It cracks passwords and controls live agents from a browser tab. This equals a workstation takeover for typical setups.
| Attack Step | Description | Key Flaw |
|---|---|---|
| Site Visit | User browses to malicious page | No user action needed |
| WebSocket Open | JS connects to localhost gateway | Browsers permit loopback |
| Password Crack | Brute-force at 100s/second | No rate limit on localhost |
| Register Node | Auto-approved as trusted | No prompts for pairings |
| Full Control | Run commands, steal data | Admin access granted |
Technical Root Causes
Design flaws enable this exploit. Localhost connections seem safe but face browser threats. Rate limits ignore loopback traffic. Pairing skips checks for local origins.
Developers assume browser traffic stays isolated. Reality shows otherwise in current environments. OpenClaw’s speed of growth outpaced security hardening.
Mitigation Actions
Update to OpenClaw 2026.2.25 or newer right away. The team patched it in 24 hours and rated it high severity.
Check all machines for OpenClaw installs. Revoke extra permissions and API keys. Set policies for AI agent access like human accounts.
- Inventory instances across devices.
- Audit connected nodes and credentials.
- Limit agent actions to essentials.
- Monitor for unusual activity.
Organizations face risks from shadow installs. Treat this like any critical patch cycle.
FAQ
NIST NVD at https://nvd.nist.gov/vuln/detail/CVE-2026-25253 lists affected versions up to 2026.1.28.
Adds origin validation and “Trust on First Use” (TOFU) to block malicious gatewayUrl params.
DepthFirst and Penligent.ai researchers, with PoCs showing full RCE chains.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages