The now-patched flaw is the latest in a growing string of security issues with the viral AI tool, which has seen rapid adoption among developers.

DR (DZone Research) offers insights into software development trends, industry surveys, and technology adoption patterns, providing reports, whitepapers, and analyst insights to help businesses make informed decisions and stay competitive in the ever-evolving tech landscape. By exploring DR's curated content, developers can gain insights into emerging technologies, developer preferences, and industry best practices for building innovative and market-leading software solutions. Whether you're a startup founder, product manager, or tech executive, DR offers resources to guide your strategic planning and drive business success.

Dark Reading

A critical vulnerability in OpenClaw, a rapidly adopted open source AI agent tool, allowed malicious websites to hijack a developer's local AI agent via WebSocket connections to localhost without any user interaction. The flaw exploited OpenClaw's implicit trust of localhost connections and lack of brute-force protections on its gateway password. The OpenClaw team patched the issue within 24 hours of disclosure by Oasis Security. The incident is part of a broader pattern of security issues with OpenClaw, including authentication token theft, command injection, prompt injection, and a growing number of malicious community plugins on its marketplace. Security experts recommend layered defenses including mTLS, strict Origin allowlisting, capability-scoped permissions, sandboxing, and treating local AI gateways as internet-facing services.

Critical OpenClaw Vulnerability Exposes AI Agent Risks