New Vulnerability Can Compromise Openclaw AI Agent via a Malicious Webpage

OpenClaw is everyone’s favorite AI agent of the moment and can enable some very helpful productivity hacks, but the last few weeks have also demonstrated it has a long way to go in terms of security. The latest issue is documented by security firm Oasis in a new paper, and it is one that requires an immediate update for anyone using a version prior to 2026.2.25.

The vulnerability was patched out prior to publication of this study, but older versions can still be compromised by a fully zero-interaction attack triggered by simply visiting any malicious webpage. If the OpenClaw gateway is protected by a human-selected password, it is very likely to be cracked within minutes of encountering one of these attack sites.

OpenClaw’s latest security issue demonstrates why paranoia about permissions is warranted

There is a serious case of FOMO with the debut of OpenClaw, with many feeling they’ll be left behind in the technological ghetto if they don’t immediately incorporate and master AI agents in their work lives. But haste in adoption can also prove devastating, as stories of everything from crypto theft to the total ruination of startups emerges. The project documentation makes plain it is still in its early stages, and its creator has said equally plainly that if you are not a “techie” you should probably not be messing around with it at this stage.

The primary evidence of this is a string of documented security vulnerabilities since it debuted in its OpenClaw form in January, at least seven found thus far that are from moderate to very high severity. This particular issue is one of those “very high” severity examples, as all a victim would have to do (or even the AI agent while working autonomously) is open an attack page.

While vulnerabilities were an inevitability due to the AI agent’s “vibe coded” origin, they are also not the only issue. The ClawHub repository is now rife with malware posing as legitimate tools, and Shodan searches have uncovered tens of thousands of people opening their OpenClaw agents to the public internet due to seeming lack of awareness about the security and technical aspects of the software.

Keeping AI agents continually updated is crucial

All of this is not to say that AI agents should be entirely abandoned, but very high security awareness is necessary to use them without courting some kind of ruin. Unfortunately, that point does not seem to be making it through to a user base eager to hop onto the next big trend in business.

At minimum, it is critical to index the functions that AI agents have autonomous access to. Can they execute crypto wallet transactions or access bank and credit card accounts? Can they provide credentials and verification tokens? And, as this case illustrates, can they take independent actions that could walk the device right into a hacker’s trap without the user even being aware of what happened?

In this case, the attack centers on the OpenClaw gateway being bound to localhost by default. That means it is seen as a trusted device, something that a malicious WebSocket connection from a web page can abuse to guess at passwords without rate or failure limits. The researchers found in their testing that a malicious script can make at least hundreds of attempts per second and run through a dictionary file in mere minutes, making it very likely a victim’s gateway password will be cracked unless it is unusually long and machine-generated.

The key takeaway here is that if AI agents are going to be given user permission, security policies have to treat them as users. And aside from taking a hard look at all of the permissions the agents have, users should also ensure appropriate rate limits are in place when logins are involved and ensure secondary human approval is being sought for sensitive activities.