A critical vulnerability dubbed “ClawJacked” let malicious websites hijack OpenClaw agents and steal data.
The flaw exposed self‑hosted AI platforms to full workstation compromise, threatening enterprises and developers that rely on OpenClaw for autonomous messaging and task automation.
Oasis Security said the OpenClaw gateway service binds to localhost by default and exposes a WebSocket interface.
Because browser cross‑origin policies do not block WebSocket connections to localhost, a malicious site can open a silent connection to the local gateway.
Oasis noted that the gateway exempts the loopback address from rate limiting, allowing brute‑force attempts at hundreds of guesses per second without throttling or logs.
“In our lab testing, we achieved a sustained rate of hundreds of password guesses per second from browser JavaScript alone,” the researchers said.
Once the correct password is guessed, the attacker registers as a trusted device and gains admin permissions, enabling credential dumping, node enumeration, log reading, and arbitrary shell command execution.
Oasis reported the issue to OpenClaw, and the vendor released a fix in version 2026.2.26 on February 26, sealing the WebSocket checks and re‑applying rate limits to loopback connections.
Organizations running OpenClaw should update to version 2026.2.26 or later immediately to prevent hijacking.
OpenClaw is a self‑hosted AI platform that lets agents autonomously send messages, execute commands, and manage tasks across multiple services, and its popularity has surged among developers seeking on‑premise AI capabilities.
