OpenClaw Patches High-Severity Website-to-Local Hijacking Vulnerability

Researchers report a high-severity vulnerability chain OpenClaw, an open-source AI agent. The flaw allows malicious websites to silently hijack a developer's local AI agent without any user interaction or browser extensions. 

This 'Website-to-Local Agent Takeover' is a cross-origin WebSocket hijacking flaw combined with a lack of rate limiting on local loopback addresses. Browsers typically isolate web content, but they do not block WebSocket connections to localhost, allowing a malicious site to communicate directly with the OpenClaw service. 

Attackers can use JavaScript on a malicious site to open a WebSocket to the local gateway port. Because the gateway exempts localhost from rate limiting, the script can brute-force the gateway password at hundreds of attempts per second and then automatically pair as a trusted device without a user prompt. 

Once authenticated, an attacker gains administrative control over the AI agent and all connected nodes. 

This vulnerability affects all self-hosted OpenClaw (formerly known as Clawdbot or MoltBot) installations running versions prior to  2026.2.25.

The OpenClaw team, now part of OpenAI following the recruitment of creator Peter Steinberger, validated the flaw and confirmed it exists in the core gateway architecture. 

Users must update OpenClaw to version 2026.2.25 or later immediately to resolve the authentication and rate-limiting flaws. Organizations should also inventory shadow AI tools across their developer fleets to identify unauthorized or unmanaged agent installations. Beyond patching, security teams should implement strict governance for non-human identities, including just-in-time access and session-scoped credentials for all AI agents to prevent lateral movement during a compromise.