Security researchers at Oasis uncovered a high‑severity vulnerability in the popular open‑source OpenClaw AI agent. The flaw lets a malicious website open a local WebSocket connection and brute‑force the gateway password, granting full control over the system. OpenClaw’s core gateway, which handles authentication for connected nodes, is exposed to localhost and can be compromised without any plugins or prior infection. A fix was released within 24 hours, and users are urged to upgrade to version 2026.2.25 or later. Read more →