SECURITYWEEK reports that a vulnerability in the OpenClaw AI assistant could allow malicious websites to hijack AI agents by luring victims to exploit a locally bound gateway. The flaw arose because the OpenClaw gateway runs a local WebSocket server on localhost, and its rate limiter does not cover loopback connections, enabling a browser-based attacker to brute-force a password and register as a trusted device.
According to Oasis Security, successful exploitation would grant an authenticated session with administrator privileges, letting an attacker interact with the agent, read logs, exfiltrate files, or execute commands on paired nodes. Oasis notes that JavaScript on a malicious website could open a WebSocket to the agent port and initiate hundreds of password guesses per second, exhausting common password lists in under a second.
SecurityWeek’s article, published on 2 March 2026, states that OpenClaw’s security team addressed the vulnerability within 24 hours and recommends updating to OpenClaw version 2026.2.25 or later.