The Rapid Rise and Hidden Risks of OpenClaw
In recent months, Peter Steinberger has experienced an extraordinary journey with his creation, OpenClaw, an artificial intelligence tool designed to serve as a personal assistant for developers. This platform has rapidly gained traction, soaring to over 100,000 stars on GitHub in less than a week. The swift ascent of OpenClaw has garnered attention from prominent figures in the tech industry, including Sam Altman of OpenAI, who has publicly praised Steinberger’s ingenuity and invited him to join the organization’s team.
However, as researchers at Oasis Security have uncovered, OpenClaw’s meteoric rise has not come without significant concerns regarding its security. The team has recently disclosed a serious vulnerability, referred to as ClawJacked (CVE-2026-25253), which poses a considerable threat to users. This flaw is not associated with external plugins or dubious downloads; rather, it originates within the primary gateway of the software itself.
Understanding the Vulnerability
The vulnerability lies in OpenClaw’s design, which is predicated on the assumption that connections from a user’s own computer are inherently trustworthy. This assumption has proved to be a critical oversight, as it opens the door for potential exploitation by malicious actors. Researchers from Oasis Security found that, by utilizing WebSockets—an always-on communication protocol—an attacker could gain unauthorized access to the AI tool without the user’s knowledge.
Web browsers typically maintain security by preventing different websites from interacting with local files. However, WebSockets can bypass these protections due to their persistent nature aimed at facilitating swift data exchanges. The OpenClaw gateway erroneously presumed that any access request originating from the localhost must be safe. Consequently, if a developer using OpenClaw happened to visit a compromised website, a covert script on that page could exploit the WebSocket communication to gain direct access to the AI tool operating in the background—a scenario that escapes the user’s notice entirely.
Demonstrating the Threat
To illustrate the gravity of this vulnerability, the Oasis team constructed a proof-of-concept that showcased the feasibility of the attack. Notably, the attack could occur without any user indications, effectively allowing the malicious script to guess the password, establish a connection, and interact with the AI agent from an unrelated website.
One of the most alarming findings was the speed with which the attack could be executed. The software did not impose restrictions on the number of password attempts from a single machine. According to the researchers, this meant they could potentially guess hundreds of passwords in a single second, rendering human-chosen passwords ineffective against such rapidity. This characteristic of the attack raised significant red flags regarding the software’s security framework.
Immediate Response and Fix
Once the password was successfully guessed, the attacker could gain administrative access to the AI agent. This level of access opened up a range of malicious possibilities, such as reading private communications, seizing API keys, and even commanding the AI to search for and exfiltrate sensitive files from the user’s machine.
Fortunately, the OpenClaw development team responded swiftly to the emerging crisis. Upon receiving alerts about the vulnerability, they released a fix within a mere 24 hours. Users are now urged to update to version 2026.2.25 or later to safeguard their systems against this threat.
The timing of this announcement is especially poignant, following an earlier incident in which over 1,000 malicious skills were identified within OpenClaw’s community marketplace. This underscores a growing trend of cyber threats targeting emerging technologies, raising important questions about their security frameworks.
Insights from Security Experts
In light of these developments, several cybersecurity professionals have weighed in on the implications of the ClawJacked vulnerability. Diana Kelley, Chief Information Security Officer at Noma Security, emphasizes the importance of recognizing AI agents as high-privilege systems. She highlights the core issue of misplaced trust in local connections, warning that "Local does not automatically mean safe.” Kelley advocates for a stringent review of how organizations handle authentication and user approvals for AI tools.
Randolph Barr, Chief Information Security Officer at Cequence Security, identifies a critical gap in security practices that allowed this vulnerability to materialize. He points out that while the design of OpenClaw focused on streamlining the developer experience, it inadvertently compromised security measures. Barr posits that, in an age driven by AI technology, quick fixes may not suffice, given that these agents possess considerable authority.
Mark McClain, Chief Executive Officer at SailPoint, encapsulates the broader implications of this incident. He asserts that organizations must treat AI agents as integral components of their security frameworks, akin to human employees. As AI technology becomes increasingly embedded in essential workflows, it is imperative that developers implement robust security measures to thwart potential threats.
In conclusion, while OpenClaw represents an exciting advancement in AI technology for developers, it also highlights crucial security considerations that cannot be overlooked. As the landscape of technology continues to evolve, so too must the safeguards in place to protect users from emerging vulnerabilities.