ClawJacked: How Malicious Websites Hijack Local AI Agents via WebSocket
Source: Dev.to
What Happened
Oasis Security has disclosed ClawJacked, a high‑severity vulnerability in OpenClaw — a popular open‑source AI agent framework. The flaw allows any website a user visits to silently hijack locally running AI agents through WebSocket connections, granting attackers full control over the agent and all its connected integrations.
The vulnerability was patched in OpenClaw version 2026.2.25, released February 26 2026 — within 24 hours of responsible disclosure.
Technical Breakdown
ClawJacked exploits a fundamental trust assumption: OpenClaw relaxes security mechanisms for localhost connections, including silent device registration approval. The attack chain works in four steps:
Step 1: WebSocket Connection
When a user visits a malicious webpage, JavaScript on the page opens a WebSocket connection to localhost on the OpenClaw gateway port. Browsers do not block localhost WebSocket connections — no CORS restrictions apply.
// Attacker's page — connects to local AI agent
const ws = new WebSocket('ws://localhost:OPENCLAW_PORT');Step 2: Password Brute‑Force
OpenClaw’s gateway has no rate‑limiting on authentication attempts. The attacker’s script rapidly brute‑forces the gateway password through the WebSocket connection.
Step 3: Silent Device Registration
After authentication, the attacker registers as a trusted device. Because the connection comes from localhost, the gateway auto‑approves the registration without prompting the user.
Step 4: Full Compromise
With admin‑level access, the attacker can:
- Execute tasks through the AI agent across all connected platforms
- Extract configuration data including API keys and secrets
- Enumerate connected nodes and discover internal infrastructure
- Access application logs containing sensitive operational data
- Pivot laterally to any system the agent has access to
Related CVEs
While ClawJacked itself has no assigned CVE, OpenClaw has recently patched multiple critical vulnerabilities:
| CVE | Type | Severity |
|---|---|---|
| CVE‑2026‑25593 | RCE | Critical |
| CVE‑2026‑24763 | Authentication Bypass | Critical |
| CVE‑2026‑25157 | RCE | High |
| CVE‑2026‑25475 | Authentication Bypass | High |
| CVE‑2026‑26319 | Command Injection | High |
| CVE‑2026‑26322 | Command Injection | High |
| CVE‑2026‑26329 | SSRF | Medium |
MITRE ATT&CK Mapping
| Technique | ID | Phase |
|---|---|---|
| Exploitation of Remote Services | T1210 | Lateral Movement |
| Brute Force | T1110 | Credential Access |
| Valid Accounts: Local | T1078.003 | Persistence |
| Application Layer Protocol: WebSocket | T1071.001 | Command & Control |
| Data from Local System | T1005 | Collection |
Indicators of Compromise
Watch for these IOCs associated with ClawJacked exploitation campaigns:
- IP:
91.92.242[.]30— Atomic Stealer payload distribution - Domain:
openclawcli.vercel[.]app— malicious skill installation lure - Actor:
@liuhui1010— ClawHub comment campaign distributing malicious skills
Detection & Hunting
Network‑Based Detection
Monitor for unexpected WebSocket connections to localhost from browser processes:
# Sigma‑style rule: Browser process connecting to localhost WebSocket
title: Suspicious Localhost WebSocket from Browser
logsource:
category: network_connection
detection:
selection:
DestinationIp: '127.0.0.1'
SourceImage|endswith:
- 'chrome.exe'
- 'firefox.exe'
- 'msedge.exe'
condition: selection
level: mediumHost‑Based Detection
Look for OpenClaw gateway device registration events without user interaction:
# Check OpenClaw logs for auto‑approved device registrations
grep -i "device.*registered.*auto" /var/log/openclaw/*.log
# Monitor WebSocket connection volume to localhost
ss -tlnp | grep -E 'LISTEN.*localhost'Mitigation
- Update immediately to OpenClaw version 2026.2.25 or later
- Audit agent permissions — review what systems your AI agents can access
- Enforce rate‑limiting on all authentication endpoints
- Disable auto‑approve for device registration, even from localhost
- Deploy on isolated systems — never run AI agent gateways on developer workstations
- Use dedicated, non‑privileged credentials for agent integrations
- Monitor continuously for unauthorized device registrations
The Bigger Picture
ClawJacked highlights a growing attack surface: AI agent frameworks that trust localhost connections. As organizations deploy AI agents with access to internal tools, databases, and APIs, the blast radius of a single compromised agent grows exponentially.
The lesson is clear — treat AI agents as privileged identities. Apply the same zero‑trust principles you use for service accounts: least privilege, continuous monitoring, and never assume that localhost equals trust.
Need help assessing your exposure? Request a free penetration test — currently in open beta.