Critical 0-Click Vulnerability in OpenClaw Exposes Developer AI Agents to Remote Hijacking
A critical zero-interaction vulnerability has been identified in OpenClaw, a rapidly growing open-source AI agent framework, allowing malicious websites to gain full control over developers’ AI agents without any user action. This flaw, discovered by Oasis Security researchers, poses significant risks due to OpenClaw’s deep integration with developers’ systems.
Understanding OpenClaw’s Functionality
OpenClaw, formerly known as Clawdbot and MoltBot, has seen unprecedented growth, amassing over 100,000 GitHub stars within five days. It serves as a self-hosted AI assistant, enabling developers to automate tasks by connecting to messaging apps, calendars, development tools, and local filesystems. Operating through a local WebSocket gateway bound to localhost, OpenClaw orchestrates various nodes such as macOS companion apps and iOS devices, granting them capabilities like system command execution and file access.
Mechanism of the Exploit
The vulnerability exploits the trust placed in localhost connections and the lack of stringent security measures for such connections. The attack unfolds as follows:
1. User Visits Malicious Website: A developer accesses a compromised or attacker-controlled website using their browser.
2. WebSocket Connection Initiation: JavaScript on the malicious page opens a WebSocket connection to the OpenClaw gateway on localhost. Browsers permit cross-origin WebSocket connections to loopback addresses, facilitating this step.
3. Brute-Force Password Attack: The script attempts to brute-force the gateway password at a high rate. Notably, OpenClaw’s rate limiter does not apply to localhost connections, allowing unlimited attempts without detection.
4. Unauthorized Device Registration: Upon successful authentication, the script registers as a trusted device. OpenClaw’s gateway automatically approves pairings from localhost without user prompts.
5. Full Control Acquisition: The attacker gains administrative control over the AI agent, enabling actions such as searching Slack history for API keys, reading private messages, exfiltrating files, and executing arbitrary shell commands.
This sequence of events results in a complete compromise of the developer’s workstation, initiated from a browser tab without any visible indication to the user.
Root Causes of the Vulnerability
The exploit stems from several flawed design assumptions:
– Trust in Localhost Connections: Assuming that connections from localhost are inherently trustworthy.
– Browser-Originated Traffic Limitations: Believing that browser-originated traffic cannot reach local services.
– Rate Limiting Exemptions: Exempting localhost connections from rate limiting measures.
Each of these assumptions is incorrect in modern browser environments, leading to the identified security gap.
Mitigation Measures
In response to this high-severity issue, the OpenClaw team has promptly released a patch. Developers and organizations are urged to take the following actions:
1. Immediate Update: Upgrade to OpenClaw version 2026.2.25 or later to incorporate the security fix.
2. Inventory Assessment: Identify all OpenClaw instances across developer machines, including any installations outside IT’s direct oversight.
3. Credential Audit: Review and revoke unnecessary credentials, API keys, and node permissions associated with OpenClaw instances.
4. Governance Policies: Establish stringent governance policies for AI agent identities, treating them with the same rigor as human users and service accounts.
Given OpenClaw’s rapid adoption, it’s crucial to assume that unpatched instances may exist within developer environments. Addressing this vulnerability with urgency is essential to maintain system integrity and security.
