Cross-origin browser-to-localhost access, missing loopback throttling, and implicit device trust combine into a silent takeover path from a single web visit.
OpenClaw | Localhost | WebSockets | AI agents | Brute force | Endpoint security
Affected vendor / product: OpenClaw Gateway (local service) and paired Nodes
Primary issue: Website-initiated WebSocket access to localhost plus weak loopback protections and auto-trusted localhost device pairing
Exploitation status: Public proof-of-concept demonstrated by researchers; no confirmed in-the-wild exploitation publicly disclosed
Confidence: High (researcher technical disclosure plus vendor release notes)
Severity: High
Patch / mitigation status: Fixed in OpenClaw v2026.2.25+ (additional hardening continues in subsequent releases)
Sectors at risk: Software engineering, DevOps, security teams, and any organisation with developer-run “shadow AI” agents that hold tokens/keys and can execute tools
Regions at risk: Global
Executive Summary
Oasis Security disclosed a vulnerability chain in OpenClaw that allowed any website a user visits to silently connect to a locally running OpenClaw Gateway over WebSockets and attempt authentication. According to Oasis Security’s technical disclosure, loopback connections were effectively exempt from meaningful password-guessing resistance, enabling high-speed brute force from browser JavaScript, followed by silent registration as a trusted device due to localhost auto-approval.
Once paired, an attacker can interact with the agent, enumerate connected devices, and access logs and configuration. In environments where OpenClaw is integrated with messaging, developer tooling, and system command execution, Oasis describes the practical impact as comparable to workstation compromise initiated from a browser tab. OpenClaw’s v2026.2.25 release notes confirm mitigations including origin checks, loopback throttling, and blocking silent auto-pairing for non-Control-UI browser clients.
Context
The issue is a modern variant of a long-running security anti-pattern: assuming “localhost equals trusted”. As Oasis notes, browsers can initiate WebSocket connections to local services, and unless the server enforces strict origin policy and authentication hardening, a malicious site can use the victim’s own browser as a bridge into local-only tooling. Oasis Security’s disclosure
This is particularly high-risk for agentic tools because the Gateway often sits in front of high-value capabilities: stored API keys, access to collaboration platforms, access to local files, and the ability to invoke actions on paired nodes. OpenClaw’s maintainers treated this as high severity and shipped a fix rapidly. Oasis Security’s disclosure
Technical Analysis
Attack chain (as demonstrated by Oasis)
Oasis’ proof-of-concept describes the following sequence:
- Victim has OpenClaw running locally with the Gateway bound to localhost and protected by a password.
- Victim visits an attacker-controlled or compromised website in a normal browser.
- JavaScript on the page opens a WebSocket connection to the OpenClaw Gateway on
localhost. - The script brute-forces the Gateway password “at hundreds of attempts per second” because localhost was exempt from the Gateway’s rate limiter.
- After authentication, the script silently registers as a trusted device because the Gateway auto-approved localhost device pairing without a user prompt.
- The attacker gains control to interact with the agent, dump configuration, enumerate connected devices, and read logs. Oasis Security’s technical disclosure
The key design lesson here is that WebSockets are not protected by the browser’s normal cross-origin request constraints in the way many developers assume. Browsers will include an Origin header for WebSocket handshakes, but it is the server’s job to enforce it. OpenClaw’s remediation specifically focuses on origin checks and “browser-origin” loopback throttling, reflecting this threat model. OpenClaw v2026.2.25 release notes
Remediation changes (vendor-confirmed)
OpenClaw’s v2026.2.25 release notes describe security changes that directly break the chain:
- Enforced origin checks for direct browser WebSocket clients beyond the Control UI/Webchat
- Applied password-auth failure throttling to browser-origin loopback attempts (including localhost)
- Blocked silent auto-pairing for non-Control-UI browser clients to prevent cross-origin brute-force and session takeover chains OpenClaw v2026.2.25 release notes
Impact Assessment
Confirmed: The chain enables remote control of the OpenClaw agent context once pairing is achieved, including access to configuration data, logs, and connected device enumeration. Oasis Security’s disclosure
Likely: In real-world developer setups, impact escalates quickly because agents often hold credentials and can perform actions across SaaS and local tooling. Oasis explicitly calls out scenarios such as searching Slack history for API keys, reading private messages, exfiltrating files from connected devices, and executing shell commands on paired nodes, depending on what the user configured. Oasis Security’s disclosure
The practical blast radius depends on:
- What integrations are connected (messaging, code hosting, CI/CD, ticketing)
- Whether the agent can execute system commands or access sensitive filesystem paths
- How many nodes are paired and what permissions they expose
Exploitation Status
Oasis published a working end-to-end proof-of-concept and states the issue was fixed within 24 hours of responsible disclosure. Oasis Security’s disclosure
As of 2 March 2026, neither Oasis nor OpenClaw has publicly reported confirmed in-the-wild exploitation specific to this chain. That said, the exploitation precondition is low (a website visit) and the affected deployment pattern (developer-run local agents) is common, so defenders should assume rapid adversary interest.
Mitigation Recommendations
- Patch immediately to v2026.2.25 or later
Treat OpenClaw updates like endpoint security hotfixes, not routine developer tooling updates. Oasis Security’s guidance and OpenClaw’s v2026.2.25 release notes align on this. - Rotate and re-scope secrets held by agents
If OpenClaw can access API keys, tokens, or chat integrations, rotate them and reduce scopes. Focus on credentials that enable lateral movement (source control, CI/CD, cloud, collaboration tooling). This follows Oasis’ recommendation to review and revoke unnecessary agent access. Oasis Security’s guidance - Audit paired devices and trust relationships
Review the Gateway’s list of trusted/paired devices and remove unexpected entries. Re-pair only after patching and credential rotation. - Reduce agent privileges by design
Apply least privilege to tools and connectors. Disable or constrain command execution where possible, and avoid giving personal agents broad access to organisational SaaS by default. - Establish governance for “non-human identities” on endpoints
Inventory where agents are running across developer fleets and who owns them. Oasis explicitly flags the “you can’t secure what you can’t see” problem for AI tooling sprawl. Oasis Security’s guidance
Incident Response Guidance
If you suspect exposure (for example: users visited an attacker-controlled site while running vulnerable OpenClaw):
- Containment: Stop the OpenClaw service on affected hosts, disconnect integrations where feasible, and isolate the endpoint if suspicious agent activity is observed.
- Credential hygiene: Rotate the Gateway password/token and revoke or rotate any credentials accessible to the agent (API keys, chat tokens, automation secrets).
- Trust reset: Review and remove unknown paired devices, then re-establish trust only after patching.
- Forensics: Collect OpenClaw configuration, pairing records, and logs (where available), plus browser history and DNS/HTTP telemetry for the suspected window. Note that part of the risk described by Oasis is that failed attempts were not meaningfully throttled or logged on localhost in vulnerable builds. Oasis Security’s disclosure
MITRE ATT&CK Mapping
| Tactic | Technique | Technique name | Observed behaviour |
|---|---|---|---|
| Initial Access | T1189 | Drive-by Compromise | User visits an attacker-controlled or compromised website running malicious JavaScript |
| Credential Access | T1110 | Brute Force | Browser-based high-speed guessing of the OpenClaw Gateway password due to loopback exemptions |
| Collection | T1005 | Data from Local System | Post-takeover collection via agent access to local files/logs/config and connected nodes (dependent on configuration) |
| Execution | T1059 | Command and Scripting Interpreter | Potential post-takeover command execution through agent tooling where enabled |
Historical Context and Common Confusion
Several sources have incorrectly conflated “ClawJacked” reporting with CVE-2026-25253, an earlier OpenClaw issue involving token leakage via a user-supplied gatewayUrl parameter. That CVE is documented by NVD’s CVE-2026-25253 entry and is distinct from the Oasis “website-to-local agent takeover” chain fixed in v2026.2.25+. Keep these separate in vulnerability management and communications.
Future Outlook
Expect fast commoditisation. The browser-to-localhost pattern is reusable across many developer tools, but agent platforms concentrate permissions and credentials in ways that make these chains unusually valuable. The defensive priority is not only patching OpenClaw but also hardening the surrounding operating model: endpoint visibility for agent tools, strict privilege boundaries for agent actions, and audited, time-bound access to sensitive integrations.
Further Reading
- Oasis Security technical disclosure: OpenClaw Vulnerability (Website-to-Local Agent Takeover)
- OpenClaw v2026.2.25 release notes (security fix details)
- Oasis Security press release summary (Feb 26, 2026)
- Secondary coverage: BleepingComputer summary of “ClawJacked”