ClawJacked attack let malicious websites hijack OpenClaw to steal data
Source: Bleeping Computer
Security researchers have disclosed a high‑severity vulnerability dubbed “ClawJacked” in the popular AI agent OpenClaw that allowed a malicious website to silently brute‑force access to a locally running instance and take control over it.
Oasis Security discovered the issue and reported it to OpenClaw, with a fix being released in version 2026.2.26 on February 26.
OpenClaw is a self‑hosted AI platform that has recently surged in popularity for enabling AI agents to autonomously send messages, execute commands, and manage tasks across multiple platforms.
Vulnerability Details
According to Oasis Security, the vulnerability is caused by the OpenClaw gateway service binding to localhost by default and exposing a WebSocket interface.
Because browser cross‑origin policies do not block WebSocket connections to localhost, a malicious website visited by an OpenClaw user can use JavaScript to silently open a connection to the local gateway and attempt authentication without triggering any warnings.
While OpenClaw includes rate limiting to prevent brute‑force attacks, the loopback address (127.0.0.1) is exempt by default, so local CLI sessions are not mistakenly locked out.
The researchers found that they could brute‑force the OpenClaw management password at hundreds of attempts per second without failed attempts being throttled or logged. Once the correct password is guessed, the attacker can silently register as a trusted device, as the gateway automatically approves device pairings from localhost without requiring user confirmation.
“In our lab testing, we achieved a sustained rate of hundreds of password guesses per second from browser JavaScript alone,” explains Oasis.
“At that speed, a list of common passwords is exhausted in under a second, and a large dictionary would take only minutes. A human‑chosen password doesn’t stand a chance.”
— Oasis Security blog post
Impact
With an authenticated session and admin permissions, the attacker can:
- Interact directly with the AI platform, dumping credentials and listing connected nodes.
- Steal credentials and read application logs.
- Instruct the agent to search messaging histories for sensitive information.
- Exfiltrate files from connected devices.
- Execute arbitrary shell commands on paired nodes, potentially resulting in full workstation compromise triggered from a browser tab.
Mitigation and Fix
Oasis reported the issue to OpenClaw, including technical details and proof‑of‑concept code. The fix, released within 24 hours of disclosure, tightens WebSocket security checks and adds additional protections to prevent attackers from abusing localhost loopback connections to brute‑force logins or hijack sessions, even when those connections are exempt from rate limiting.
Organizations and developers running OpenClaw should update to version 2026.2.26 or later immediately to prevent their installations from being hijacked.
Related Threats
With OpenClaw’s massive popularity, security researchers have been focusing on identifying vulnerabilities and attacks targeting the platform. Threat actors have been seen abusing the “ClawHub” OpenClaw skills repository to promote malicious skills that deploy infostealing malware or trick users into running malicious commands on their devices.
Malicious MoltBot skills used to push password‑stealing malware