~/home/news/openclaw-local-agent-flaw-cve-2026-03-05
newsThursday, March 5, 20268 min read👁 20 views

OpenClaw’s Local Agent Flaw (CVE-2026-25253) Lets Malicious Sites Hijack Your AI Assistant

A critical vulnerability (CVE-2026-25253) allows a malicious website to connect to a locally running OpenClaw agent over localhost, bypass authentication and brute-force the password without limits. Attackers can then execute arbitrary commands, stealing code, credentials, and integrations.

OpenClawCVE-2026-25253AI securityLocalhost attacks

Overview/Introduction

When OpenClaw released its AI-assistant agent for developers, the promise was simple: a powerful, locally hosted copilot that never leaves your machine. The reality, however, is that the agent’s design trusted anything that spoke to localhost. Researchers at Oasis Security uncovered a chain of weaknesses that let a hostile website silently open a WebSocket to the local OpenClaw gateway, brute-force its password, and take full control of the assistant. The flaw, catalogued as CVE-2026-25253, was disclosed publicly on 27 February 2026 and patched within days, but the incident raises serious questions about the implicit trust model behind many developer-focused AI tools.

Technical Details

CVE Identifier and Classification

CVE-2026-25253 - Critical - Remote Code Execution via Unauthenticated Localhost WebSocket.

Attack Vector

The vulnerability hinges on three design choices:

  • Localhost auto-trust: The OpenClaw gateway binds to 127.0.0.1:8080 (or a configurable port) and treats any connection from that address as inherently trusted.
  • WebSocket exposure: The agent exposes a WebSocket endpoint (/ws) that accepts JSON-RPC commands for workflow orchestration, code execution, and credential retrieval.
  • Disabled rate-limiting and auto-pairing: To streamline onboarding, the agent automatically pairs new client sessions from localhost and does not enforce a request-rate ceiling.

Modern browsers do not enforce the same origin policy for WebSocket connections to localhost. A malicious page can therefore embed JavaScript such as:

const ws = new WebSocket('ws://127.0.0.1:8080/ws');
ws.onopen = () => { /* start brute-force loop */ };

The script iterates over common passwords or even performs a full dictionary attack because the agent never throttles authentication attempts. Once a correct password is guessed, the attacker gains a fully authenticated session token, which can be used to invoke any RPC method-including runCommand, fetchFile, and listIntegrations.

Exploitation Method

Oasis Security released a proof-of-concept (PoC) that demonstrates the full chain:

  1. Load a malicious webpage (or a compromised ad network) in the victim’s browser.
  2. JavaScript opens a WebSocket to ws://127.0.0.1:8080/ws.
  3. The script sends auth RPC calls with password candidates in rapid succession.
  4. When the correct password is discovered, the script stores the session token in memory.
  5. Using the token, the script issues runCommand with arbitrary shell payloads, exfiltrates .ssh keys, pulls repository contents, or re-configures integrations (e.g., GitHub, Slack).

Because the attack runs entirely in the browser sandbox, there is no need for user interaction beyond visiting the malicious site. The entire exploit chain is invisible to the user and leaves no obvious browser artifacts.

Impact Analysis

The flaw affects any environment where the OpenClaw client is installed and the gateway is listening on a loopback interface. This includes:

  • Developer workstations running the OpenClaw desktop app.
  • CI/CD runners or build servers that host an OpenClaw agent for automated code review.
  • Self-hosted AI-assistant deployments on on-premise servers.

Given the agent’s elevated privileges-access to the host filesystem, ability to invoke arbitrary commands, and integration with credential stores-the impact is equivalent to a full system compromise. An attacker could:

  • Steal proprietary source code and intellectual property.
  • Harvest API keys, tokens, and passwords stored in environment variables or secret managers.
  • Deploy ransomware or cryptominers via runCommand.
  • Pivot to internal networks by using the compromised host as a foothold.

Because the vulnerability is exploitable from any website, the threat model expands from targeted phishing to mass-scale drive-by attacks.

Timeline of Events

  • 27 Feb 2026 - Oasis Security publicly discloses CVE-2026-25253 and releases PoC details.
  • 28 Feb 2026 - OpenClaw acknowledges the report, assigns a CVE, and begins internal remediation.
  • 01 Mar 2026 - OpenClaw publishes an emergency patch (v2.3.1) that adds origin verification, rate limiting, and optional token-based authentication for localhost connections.
  • 03 Mar 2026
  • 05 Mar 2026 - RootShell.blog publishes this deep-dive analysis.

Mitigation/Recommendations

Organizations and individual developers should take the following steps immediately:

  • Apply the official patch: Upgrade to OpenClaw 2.3.1 or later. The patch introduces:
    • Explicit origin checks for WebSocket connections (rejects non-same-origin requests).
    • Configurable rate-limit (default 5 attempts per second) on authentication RPC calls.
    • Optional “require-token” mode that forces a pre-shared secret for any localhost request.
  • Enforce network-level isolation: Run the OpenClaw agent inside a dedicated container or VM with no browser access. Use firewall rules to block inbound traffic to the agent’s port from the host’s user-space network interfaces.
  • Strengthen authentication: Replace the default weak password with a long, randomly generated passphrase. Store it in a password manager and enable multi-factor authentication (MFA) where the agent supports it.
  • Disable auto-pairing: Turn off the “auto-approve device” feature and require manual confirmation for each new client session.
  • Monitor WebSocket activity: Enable logging of all WebSocket connections and authentication attempts. Alert on spikes in failed logins.
  • Browser hygiene: Keep browsers up to date, and consider using extensions that block WebSocket connections to localhost from untrusted origins (e.g., NoScript, uMatrix).

Real-World Impact

In practice, the vulnerability translates to a new class of “local-first” attack. A developer who routinely visits a compromised blog while their OpenClaw agent is running could unknowingly hand over the keys to their entire development environment. For enterprises that embed OpenClaw into automated pipelines, a single compromised workstation could cascade into a supply-chain breach, leaking source code and deployment credentials across the organization.

Because the exploit requires only a web page, attackers can embed the malicious script in legitimate-looking content, ad networks, or even in phishing emails that direct victims to a “help” page. The low barrier to entry dramatically widens the threat surface.

Expert Opinion

From a senior security analyst’s perspective, CVE-2026-25253 is a textbook example of the dangers inherent in “implicit trust” models for locally hosted services. The OpenClaw team prioritized a frictionless developer experience-automatic pairing, no-password onboarding, and unrestricted localhost access-at the expense of a zero-trust mindset. While the rapid patch response is commendable, the incident should serve as a wake-up call for the broader AI-assistant ecosystem.

Future AI-agent designs must assume that localhost is not a security perimeter. Mandatory authentication, origin validation, and rate limiting should be baked in from day one. Moreover, developers should be educated that a “local” AI assistant does not magically shield them from web-based attacks.

In the longer term, we expect to see a shift toward sandboxed agent runtimes that expose only a narrow, well-defined API surface to the host OS, coupled with strong attestation mechanisms. Until then, organizations should treat any locally bound service as potentially exposed and apply the same hardening principles they would to network-facing daemons.