PANews March 2 News, GoPlus Chinese Community issued an alert: OpenClaw Gateway currently has a high-severity vulnerability. Please upgrade immediately to version 2026.2.25 or higher, audit and revoke unnecessary credentials, API keys, and node permissions granted to Agent instances. The analysis states that OpenClaw runs through a WebSocket Gateway bound to the localhost, which serves as the core coordination layer for the Agent and is an important component of OpenClaw. The attack targets the weakness in the Gateway layer, requiring only one condition: the user accesses a malicious website controlled by hackers in their browser.
The complete attack chain is as follows:
- The victim visits a malicious website controlled by the attacker in their browser;
- JavaScript on the page initiates a WebSocket connection to the OpenClaw Gateway on the localhost;
- Subsequently, the attack script attempts to brute-force the gateway password hundreds of times per second;
- After successfully cracking the password, the attack script silently registers as a trusted device;
- The attacker gains administrator-level control of the Agent.
Disclaimer: The information on this page may come from third parties and does not represent the views or opinions of Gate. The content displayed on this page is for reference only and does not constitute any financial, investment, or legal advice. Gate does not guarantee the accuracy or completeness of the information and shall not be liable for any losses arising from the use of this information. Virtual asset investments carry high risks and are subject to significant price volatility. You may lose all of your invested principal. Please fully understand the relevant risks and make prudent decisions based on your own financial situation and risk tolerance. For details, please refer to
Disclaimer.
Related Articles
CertiK Warns Security Risks in AI Agent Marketplaces Despite Next-Gen Skill Scanning
CertiK has revealed significant security vulnerabilities in AI agent marketplaces, emphasizing that current detection methods are inadequate. The research advocates for enhanced runtime security and skill isolation to prevent potential compromises from undetected malicious code.
BlockChainReporter17m ago
National Security Department Releases "Lobster" (OpenClaw) Secure Farming Manual, Proposing Four Major Risk Hazards and Countermeasures
On March 17, the National Security Department released the "Lobster" Security Hardening Guide, which identified breeding risks including host takeover and data theft. It recommends checking control interfaces, permission configurations, credential security, and plugin sources, emphasizing the principle of least privilege and implementation of isolation measures.
GateNews1h ago
UK Man Claims $172M Bitcoin Stolen, Funds Split Across 71 Wallets
A High Court case reveals the alleged theft of over $170 million in Bitcoin from a hardware wallet, raising concerns about self-custody risks. The funds, claimed by Ping Fai Yuen, were transferred without his knowledge and divided among multiple wallets. Allegations suggest involvement from the claimant's spouse, though these remain unproven. The case exemplifies challenges in cryptocurrency disputes, particularly regarding custody and personal relationships.
TodayqNews2h ago
UK Court Allows $172M Bitcoin Theft Case as Husband Accuses Wife of Stealing Crypto via CCTV
A UK court has allowed a $172M Bitcoin theft case to proceed, where a man alleges his wife recorded his wallet recovery phrase to steal 2,323 BTC. The case highlights challenges in handling crypto disputes under existing laws.
TheNewsCrypto2h ago
Husband accuses wife of stealing over 2,000 bitcoins! Judge: The plaintiff has a very high chance of winning.
The UK High Court is hearing a Bitcoin theft case in which the plaintiff alleges his estranged wife secretly stole 2,323 Bitcoin in 2023. In the case, the plaintiff used audio evidence to prove that the defendant and her sister planned to transfer the Bitcoin. The judge found a high probability of the plaintiff prevailing and ordered asset freezing while dismissing some claims, recommending expedited trial proceedings.
区块客2h ago
South Korean Police Plan to Establish Guidelines for Seizing Privacy Coins; Virtual Assets Confiscated Over Past Five Years Valued at 545 Billion Won
The Korean National Police Agency is developing new virtual asset seizure management guidelines, incorporating handling of privacy coins for the first time. The new regulations will clarify software wallet management, address virtual asset custody gaps, and improve law enforcement efficiency. Police plan to designate private custodian institutions, while experts recommend establishing a centralized public custody mechanism to reduce risks. This reform has been prompted by recent Bitcoin theft incidents, driving the management system's transition toward the digital asset era.
区块客2h ago
