This article details a high-severity vulnerability, dubbed "ClawJacked," discovered by Oasis Security in the popular AI agent OpenClaw. The flaw, fixed in version 2026.2.26, allowed malicious websites to silently brute-force access to a locally running OpenClaw instance and gain full control.
The vulnerability exploited OpenClaw's default binding of its gateway service to localhost, exposing a WebSocket interface. Browsers do not block WebSocket connections to localhost, enabling attackers to use JavaScript from a visited malicious site to silently connect and attempt authentication. Critically, OpenClaw's rate limiting exempts the loopback address, allowing for hundreds of password guesses per second without throttling, making human-chosen passwords highly susceptible. Upon successful brute-force, the attacker could register as a trusted device due to automatic localhost pairing approval.
With admin permissions, attackers could dump credentials, exfiltrate files, and execute arbitrary shell commands on connected devices, leading to full workstation compromise. The fix implemented stronger WebSocket security and additional protections against localhost abuse. Organizations using OpenClaw are strongly advised to update immediately. The article also briefly notes other threats like malicious "ClawHub" skills promoting infostealing malware.
Top comments (0)