A few days ago, the security community found a serious failure in OpenClaw, one of the platforms of self-hosted IA agents that in recent months has grown rapidly in popularity. Research Oasis Security identified a weakness that allowed a malicious website to communicate with a local OpenClaw instance and try passwords until you guess the right one, all without the user noticing anything in your browser.
The root of the problem was in the OpenClaw gateway service, which exposes a WebSocket interface linked to default localhost. This combination was dangerous because, unlike other web APIs, browsers allow WebSocket to open connections to loopback directions without the source policies (same-origin) preventing the connection. You can see how these connections work in the technical documentation of the browsers on the page of MDN Web Docs on WebSocket.
The most worrying thing was not only the possibility of connecting, but how OpenClaw treated local connections: the rate limitation protections were designed to avoid brute force attacks, but they usually exclude the direction of loopback (127.0.0.1) so as not to block legitimate sessions from the machine itself. This exception opened a window that, according to researchers, allowed hundreds of attempts per second from JavaScript in a browser tab, which was sufficient to exhaust lists of common passwords in second fractions and larger dictionaries within minutes.
In addition, the OpenClaw gateway accepted matching devices from localhost without asking the user for confirmation, so that, once the management password was guessed, an attacker could register as a trust device and obtain administrator permits. With that direct access to the platform, the attacker could list connected nodes, filter and steal credentials, read records and order the agent to search for or exfilter sensitive information, and even run shell commands on matched machines. In a few words: a browser tab could become the vector for a complete take-over of the job.
Oasis Security showed evidence of concept and a practical demonstration of abuse, and reported the problem to OpenLaw developers. The reaction was rapid: in less than 24 hours a correction was published, included in version 2026.2.26 released on 26 February, which tightens the security checks on WebSocket connections and adds protections so that the connections from loopback cannot be used for brute force attacks or session appropriation, even if they are free from design limitations.
This incidence shows a double risk that accompanies the boom of self-hosted platforms of autonomous agents: on the one hand, the large attack surface that involves exposing a local control service with administrative capabilities; on the other, the combination of browser behaviors and server configurations designed for convenience but that can be exploited. Security teams and administrators who deploy this type of software must assume that any local interface can be reached from a browser and design corresponding defenses.
OpenClaw is not the only project to rethink its trust model: research also recalls that public skill repositories and plugins can be used by malicious actors to distribute dangerous instructions. In the specific case, attempts to abuse the "ClawHub" repository have been observed to promote skills that deploy malware information collector or persuade users to run harmful commands on their machines.
If you administer or use an OpenClaw instance, the immediate recommendation is to update to the parcheed version (2026.2.26 or later). Beyond the patch, it is appropriate to review administrative and key passwords, apply strong and unique passwords policies, minimize exposure of administration interfaces to unreliable networks, and monitor abnormal records and behaviors in the agent's integrations. For those who want to deepen the tests and techniques around WebSocket channels, the OWASP Web Security Testing Guide provides useful guidance on vectors and mitigation.
The good news is how quickly this hole was solved after responsible disclosure: an example of how technical exchange between researchers and developers can limit the impact. The lesson, however, must last: with tools that can run actions in real environments and access connected devices, design security and continuous review are essential. It is not enough for a service to work; it has to be armored to assume that the local interface is also a potential entry door for an attacker.
For those who want to read the full technical report and see the demonstration shared by the discoverers, the Oasis entry contains the details of the finding and the evidence: Oasis Security report on vulnerability in OpenClaw. Keeping informed and applying patches quickly remains the best defense against such threats.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...
PinTheft the public explosion that could give you root on Arch Linux
A new public explosion has brought to the surface again the fragility of the Linux privilege model: the V12 Security team named the failure as PinTheft and published a concept t...