Oasis Security has disclosed a severe vulnerability chain in OpenClaw, the rapidly adopted open-source AI agent that gained over 100,000 GitHub stars in five days. The flaw allows any malicious website to silently hijack a developer's AI agent—granting full control over connected tools, credentials, and systems—without requiring plugins, extensions, or any user interaction. OpenClaw developers are urged to update immediately to version 2026.2.25 or later, where the issue has been addressed.
Quick Intel
Oasis Security's research team has exposed a critical security flaw in OpenClaw, a self-hosted AI agent that has become a go-to personal assistant for thousands of developers. Running locally on laptops, OpenClaw connects to messaging apps, calendars, development tools, and more, enabling autonomous actions such as sending messages, running commands, and managing workflows.
The vulnerability resides in the core OpenClaw gateway—no additional components or user modifications required. It exploits standard browser behaviors and lax localhost protections to enable remote takeover.
The attack begins when a developer visits a malicious or compromised website. JavaScript on the page initiates a WebSocket connection to the OpenClaw gateway port on localhost. Since cross-origin policies do not restrict WebSocket connections to localhost, the connection succeeds.
The script then rapidly brute-forces the gateway password, taking advantage of the exemption from rate limiting for localhost traffic. Upon success, it registers as a trusted device, which the gateway auto-approves without user notification.
With full authentication, the attacker gains unrestricted access to interact with the AI agent, dump configurations, enumerate connected devices, read logs, and issue commands. This exposes sensitive integrations, allowing actions like searching Slack for credentials, accessing private communications, exfiltrating files, or running arbitrary shell commands—effectively achieving workstation-level compromise from a single browser tab.
Oasis Security demonstrated the end-to-end exploit silently, with no visible indicators to the user.
"Prompt injection and agent hijacking cases are persistent threats in this era of broad AI adoption," said Elad Luz, Head of Research at Oasis Security. "Managing the scope of AI agents' access is a critical governance step organizations must take to reduce the blast radius and manage risk."
The rapid popularity of OpenClaw means many organizations likely have unmanaged instances on developer machines. To address this emerging risk, security teams should prioritize visibility into AI tooling, review and minimize granted permissions, and establish robust governance for AI agents as non-human identities. This includes intent analysis, policy enforcement, just-in-time access, and comprehensive auditing.
The OpenClaw security team responded swiftly, classifying the issue as high severity and releasing a fix within 24 hours of responsible disclosure.
As AI agents integrate deeper into developer workflows, organizations must shift from adoption speed to governed deployment to protect against these agentic threats.
About Oasis Security
Oasis Security is the identity security platform for the Agentic Access era. As enterprises adopt AI at scale, they face a new security challenge: thousands of machine identities and autonomous agents operating at machine speed, without the SSO, MFA, and governance controls that protect human access. Oasis delivers unified discovery, policy intelligence, and lifecycle enforcement across hybrid environments, giving security teams the visibility to find what legacy tools miss, the context to understand what actually matters, and the automation to govern at the speed of AI. Backed by Accel, Cyberstarts, and Sequoia Capital, Oasis Security was founded in 2022 by Danny Brickman and Amit Zimerman.
TechIntelPro empowers B2B technology decision-makers with the latest industry trends, deep insights, leadership perspectives and actionable intelligence to drive both organizational and professional milestones—and thrive on the tech pulse.