ClawJacked vulnerability lets malicious websites hijack OpenClaw AI agents

A high-severity vulnerability called ClawJacked allowed a malicious website to silently hijack locally running OpenClaw AI agents, giving an attacker admin-level control of the agent, access to credentials and logs, and the ability to run shell commands on connected machines, security researchers warned.

Oasis Security, which discovered the flaw and published a technical report and proof-of-concept video, says the attack exploited documented default behavior: the OpenClaw gateway binds to localhost, exposes a WebSocket interface, and treats loopback traffic as trusted. Modern browsers permit WebSocket connections to localhost, allowing attacker-controlled JavaScript on a webpage to open a local socket and attempt authentication. Because OpenClaw exempted the loopback address from rate limiting to avoid locking out local CLI sessions, an attacker could brute-force the gateway password at hundreds of guesses per second and then register a trusted device with no user confirmation.

“A developer has OpenClaw running on their laptop, with the gateway bound to localhost, protected by a password. They’re browsing the web and accidentally land on a malicious website. That’s all it takes,” Oasis Security said in its disclosure. The company added that the flaw is in the product’s core. “Our vulnerability lives in the core system itself – no plugins, no marketplace, no user-installed extensions – just the bare OpenClaw gateway, running exactly as documented.”

Once authenticated and paired, the attacker can call gateway and agent APIs to dump stored credentials, enumerate and list connected nodes, read application logs and message histories, exfiltrate files, and instruct paired nodes to execute arbitrary shell commands. Oasis demonstrated the chain in a proof-of-concept video and shared exploit code with OpenClaw in a responsible disclosure.

Oasis also emphasized the speed of the brute-force step. “At that speed, a list of common passwords is exhausted in under a second, and a large dictionary would take only minutes. A human‑chosen password doesn’t stand a chance,” the researchers said.

OpenClaw issued a patch on February 26, 2026, according to multiple security outlets, and researchers reported the fix arrived within 24 hours of disclosure. Publications disagree on the exact release tag for the patch, with some reporting version 2026.2.26 and others reporting 2026.2.25. Security reporting indicates the update tightens WebSocket checks, restores or enforces rate limiting for loopback connections, and adds protections to prevent silent auto-approval of local pairings, but the precise behavioral changes should be confirmed in OpenClaw’s official release notes.

Dataconomy quoted OpenClaw urging immediate updates: “OpenClaw recommends that users update to version 2026.2.26 or later immediately.” Given the conflicting version strings in secondary reporting, administrators should confirm the definitive patch by checking OpenClaw’s GitHub changelog or official advisory.

The ClawJacked disclosure joins a series of recent OpenClaw vulnerabilities, several assigned CVEs and patched across early 2026, that have included remote code execution, SSRF and log-poisoning issues. As Endor Labs noted, “As AI agent frameworks become more prevalent in enterprise environments, security analysis must evolve to address both traditional vulnerabilities and AI-specific attack surfaces.”

Practically, any developer or enterprise running OpenClaw locally should treat agent gateways as sensitive infrastructure, update to the vendor-confirmed patched release immediately, audit agent pairings and credentials, and re-evaluate trust exemptions for localhost connections. Security teams should also review logs for unexplained device pairings or API activity originating from local browser contexts and verify that default pairing behavior has been hardened.