Security & Infrastructure Tools
ClawJacked Attack: Malicious Websites Hijack OpenClaw AI Agent to Steal Data
OpenClaw, a popular self‑hosted AI platform, suffered a high‑severity “ClawJacked” vulnerability that allowed malicious websites to brute‑force local gateway login via WebSocket connections to localhost. The flaw bypasses rate limiting and auto‑approves device pairings from the loopback address, enabling attackers to gain admin access, steal credentials, read logs, and execute commands on connected devices. Researchers demonstrated password cracking at hundreds of attempts per second, exposing even user‑chosen passwords. OpenClaw fixed the issue in version 2026.2.26 released within 24 hours; users should update immediately to prevent hijacking.
OpenClaw, the rapidly growing self‑hosted AI platform that lets agents send messages, run commands and manage tasks across multiple systems, has been hit by a high‑severity flaw dubbed “ClawJacked.” The vulnerability, discovered by Oasis Security, allows an attacker to hijack a locally running OpenClaw instance from a malicious website.
At the heart of the issue is that OpenClaw’s gateway service binds to localhost (127.0.0.1) by default and exposes a WebSocket interface. Because browsers do not enforce cross‑origin restrictions on local sockets, a web page can use JavaScript to open a silent connection to the local gateway and attempt authentication without any user warning.
Although OpenClaw implements rate limiting to thwart brute‑force attempts, the loopback address is exempt by default, so local CLI sessions remain unlocked. Oasis Security demonstrated that, using only browser‑based JavaScript, they could perform hundreds of password guesses per second—far exceeding the throttling threshold. A list of common passwords can be exhausted in under a second, and even a larger dictionary would take only minutes to crack.
Once the correct management password is guessed, the attacker gains an authenticated session with admin privileges. The gateway automatically approves device pairings from localhost without user confirmation, allowing the attacker to register as a trusted device. With full control over the AI platform, the malicious actor can dump credentials, list connected nodes, exfiltrate files, read application logs, and even execute arbitrary shell commands on paired devices—effectively compromising an entire workstation via a single browser tab.
Oasis Security supplied proof‑of‑concept code and detailed technical information to OpenClaw. The vendor responded swiftly, releasing a patch in version 2026.2.26 (February 26) that tightens WebSocket security checks and adds protections against brute‑force login attempts from localhost loopback connections, even when those connections are exempt from rate limiting.
All organizations and developers running OpenClaw should upgrade immediately to the patched version or later to safeguard their installations. With the platform’s growing popularity, continued vigilance is essential as attackers explore other avenues—such as malicious skills repositories that can deploy infostealing malware or trick users into executing harmful commands on their devices.
The “ClawJacked” flaw underscores the importance of securing local services and enforcing strict authentication controls, especially in systems that expose powerful AI capabilities.