Oasis Security Research Team Discovers Critical Vulnerability in OpenClaw

Vulnerability chain in OpenClaw allows any website to silently take full control of a developer’s AI agent

NEW YORK, Feb. 26, 2026 /PRNewswire/ — Oasis Security, the identity security platform, today released new threat research exploring a vulnerability chain in OpenClaw that allows any website to silently take full control of a developer’s AI agent—with no plugins, extensions, or user interaction required.

OpenClaw, the open-source AI agent that rocketed to over 100,000 GitHub stars in five days, has become the default personal assistant for thousands of developers. It runs on their laptops, connects to their messaging apps, calendars, and dev tools, and takes autonomous actions on their behalf. It has also been trivially vulnerable to hijacking from any website the developer visits.

The Rise of OpenClaw
OpenClaw is a self-hosted AI agent that recently took the developer world by storm, becoming one of the fastest-growing open-source projects in history. Users interact with OpenClaw through a web dashboard or terminal, allowing it to autonomously send messages, run commands, manage workflows across platforms, and even form an emergent AI social network.

The Vulnerability
The vulnerability the Oasis Security Research Team discovered lives in the core system itself—no plugins, no marketplace, no user-installed extensions—just the bare OpenClaw gateway, running exactly as documented.

Here’s the scenario: A developer has OpenClaw running on their laptop, with the gateway bound to localhost, protected by a password. They’re browsing the web and accidentally land on a malicious website. That’s all it takes.

The full attack chain works as follows:

1. The victim visits any attacker-controlled (or compromised) website in their normal browser.
2. JavaScript on the page opens a WebSocket connection to localhost on the OpenClaw gateway port (permitted because WebSocket connections to localhost are not blocked by cross-origin policies).
3. The script brute-forces the gateway password at hundreds of attempts per second. The gateway’s rate limiter exempts localhost connections entirely.
4. Once authenticated, the script silently registers as a trusted device. The gateway auto-approves device pairings from localhost with no user prompt.
5. The attacker then has full control. They can interact with the AI agent, dump configuration data, enumerate connected devices, and read logs.

This means an attacker could instruct the agent to search the developer’s Slack history for API keys, read private messages, exfiltrate files from connected devices, or execute arbitrary shell commands on any paired node. For a developer with typical OpenClaw integrations, this is equivalent to full workstation compromise, initiated from a browser tab.

The Oasis Security Research Team demonstrated this end-to-end: From a browser on an unrelated website, its proof-of-concept guessed the gateway password, connected with full permissions, and successfully interacted with the user’s AI agent, all without the user seeing any indication that anything had happened.

What Organizations Should Do
The rapid adoption of tools like OpenClaw means many organizations already have instances running on developer machines, often without IT’s knowledge. Here are recommended steps to take:

1. Gain visibility into AI tooling. You can’t secure what you can’t see. Inventory which AI agents and assistants are running across your developer fleet. OpenClaw instances, local LLM servers, and similar tools represent a growing blind spot.
2. Review the access granted to AI agents. OpenClaw agents can hold API keys for AI providers, connect to messaging platforms, and execute system commands on connected devices. Audit what credentials and capabilities each instance has been granted, and revoke anything that isn’t actively needed.
3. Establish governance for non-human identities. AI agents are a new class of identity in your organization – they authenticate, hold credentials, and take autonomous actions. They need to be governed with the same rigor as human users and service accounts. This means intent analysis (understanding what an agent action is trying to do before it happens), policy enforcement (deterministic guardrails that block dangerous actions and require human approval for sensitive operations), just-in-time access (short-lived, per-session, scoped only to the required task), and a full audit trail from human to agent to action to result. This is the problem that Oasis Security’s Agentic Access Management platform was purpose-built to solve.

As AI agents become standard tools in every developer’s workflow, the question isn’t whether to adopt them, it’s whether organizations can govern them.

“Prompt injection and agent hijacking cases are persistent threats in this era of broad AI adoption,” said Elad Luz, Head of Research at Oasis Security. “Managing the scope of AI agents’ access is a critical governance step organizations must take to reduce the blast radius and manage risk.”

If you or your team run OpenClaw, update to version 2026.2.25 or later immediately.

Responsible Disclosure and Fix
Oasis Security reported this vulnerability to the OpenClaw security team with full technical details, root cause analysis, and proof-of-concept code. The team classified it as high severity and pushed a fix in less than 24 hours, an impressive response time, especially for a volunteer-driven open-source project.

Read the Oasis Security Research Team’s blog for more information, and whitepaper for the full technical breakdown.

About Oasis Security
Oasis Security is the identity security platform for the Agentic Access era. As enterprises adopt AI at scale, they face a new security challenge: thousands of machine identities and autonomous agents operating at machine speed, without the SSO, MFA, and governance controls that protect human access. Oasis delivers unified discovery, policy intelligence, and lifecycle enforcement across hybrid environments, giving security teams the visibility to find what legacy tools miss, the context to understand what actually matters, and the automation to govern at the speed of AI. Backed by Accel, Cyberstarts, and Sequoia Capital, Oasis Security was founded in 2022 by Danny Brickman and Amit Zimerman.

Media Contact
Katherine Benfield
ICR for Oasis Security
oasis@icrinc.com

View original content to download multimedia:https://www.prnewswire.com/news-releases/oasis-security-research-team-discovers-critical-vulnerability-in-openclaw-302698939.html

SOURCE Oasis Security