OpenClaw Authentication Bypass Vulnerability in WebSocket Clients Allowing Password Brute-Force Attacks

A vulnerability exists in OpenClaw versions prior to 2026.2.25, where browser-origin WebSocket clients can bypass authentication checks and throttling on loopback deployments. This flaw allows attackers to conduct password brute-force attacks against the gateway. By tricking a user into visiting a malicious webpage, an attacker could exploit this vulnerability to gain unauthorized access and control over the system.

Impact

Exploitation of this vulnerability allows an attacker to bypass authentication checks, enabling password brute-force attacks that could lead to unauthorized access as an operator, with the ability to invoke control-plane methods.

Reproduction

To reproduce this vulnerability, deploy OpenClaw on a loopback connection with password authentication enabled. Then, have a user open a malicious webpage that initiates a WebSocket connection to the OpenClaw gateway. The origin of this connection should be one that is not properly validated by the application. As the WebSocket connection is established, the attacker can begin to guess the gateway password, taking advantage of the lack of origin checks and authentication throttling on loopback.

Remediation

Users can update to OpenClaw version 2026.2.25 or later, where this vulnerability has been patched.