OpenClaw fixes high-severity ClawJacked vulnerability that allowed malicious websites to brute-force local AI agent passwords and gain complete control without user prompts.
OpenClaw has patched a critical security flaw that could have allowed malicious websites to hijack locally running AI agents through WebSocket connections, highlighting the growing attack surface of AI agent frameworks in enterprise environments.
The ClawJacked Vulnerability
The vulnerability, dubbed ClawJacked by cybersecurity firm Oasis Security, exists in the core OpenClaw gateway system itself - not in plugins or extensions. The flaw exploits how the gateway handles local WebSocket connections and device authentication.
How the Attack Works
The attack chain begins when a developer visits an attacker-controlled website through social engineering. From there:
- Malicious JavaScript opens a WebSocket connection to localhost on the OpenClaw gateway port
- The script brute-forces the gateway password, exploiting a missing rate-limiting mechanism
- Upon successful authentication with admin-level permissions, the script registers as a trusted device
- The gateway auto-approves the registration without user prompts due to local connection trust
- The attacker gains complete control over the AI agent
The critical issue stems from browsers allowing WebSocket connections to localhost without the same cross-origin restrictions applied to HTTP requests. This means JavaScript running on any website can silently connect to local services without user awareness.
Security Implications
Once compromised, attackers can:
- Interact with the AI agent and issue commands
- Dump configuration data and application logs
- Enumerate connected nodes and integrated services
- Potentially use the agent as a pivot point for further attacks
Oasis Security noted that the gateway "relaxes several security mechanisms for local connections," including automatic approval of new device registrations that would normally require user confirmation.
The Fix and Recommendations
OpenClaw released version 2026.2.25 on February 26, 2026, addressing the ClawJacked vulnerability within 24 hours of responsible disclosure. Users are strongly advised to update immediately.
Beyond patching, security experts recommend:
- Periodically auditing access granted to AI agents
- Enforcing governance controls for non-human identities
- Treating AI agent frameworks as untrusted code execution environments
- Deploying in isolated environments when evaluation is necessary
Broader OpenClaw Security Concerns
The ClawJacked disclosure comes amid heightened scrutiny of OpenClaw's security posture. Recent reports have identified multiple vulnerabilities ranging from moderate to high severity, including:
- Remote code execution flaws
- Command injection vulnerabilities
- Server-side request forgery (SSRF) issues
- Authentication bypass problems
- Path traversal vulnerabilities
These issues have been addressed in versions 2026.1.20, 2026.1.29, 2026.2.1, 2026.2.2, and 2026.2.14.
Supply Chain Attacks Through ClawHub
Security researchers have discovered malicious skills uploaded to ClawHub, OpenClaw's open marketplace for AI agent extensions. These skills serve as delivery mechanisms for malware, including a new variant of Atomic Stealer, a macOS information stealer.
The infection chain typically involves:
- A seemingly benign skill that installs prerequisites
- Instructions directing users to external websites
- Malicious commands that download and execute stealer payloads
- Cryptocurrency scams that redirect funds to attacker-controlled wallets
Researchers have identified at least 71 malicious skills among 3,505 analyzed, with some employing sophisticated social engineering tactics to trick users into running terminal commands.
Enterprise Risk Assessment
Microsoft's Defender Security Research Team has issued specific guidance regarding OpenClaw deployment:
"Because of these characteristics, OpenClaw should be treated as untrusted code execution with persistent credentials. It is not appropriate to run on a standard personal or enterprise workstation."
The company recommends deploying OpenClaw only in fully isolated environments such as dedicated virtual machines, using non-privileged credentials, and implementing continuous monitoring with rebuild plans.
The Growing AI Agent Attack Surface
This incident underscores a critical security reality: as AI agents gain entrenched access to disparate systems and execute tasks across enterprise tools, they create significantly larger blast radii when compromised. Each integrated service broadens the potential attack surface, and agents can be manipulated through prompt injections embedded in processed content like emails or messages.
Security firms Bitsight and NeuralTrust have documented how internet-connected OpenClaw instances pose expanded attack surfaces, while Eye Security has detailed log poisoning vulnerabilities that allow attackers to influence agent reasoning through manipulated troubleshooting data.
The ClawJacked vulnerability serves as a stark reminder that AI agent frameworks require security analysis that addresses both traditional vulnerabilities and AI-specific attack surfaces as they become more prevalent in enterprise environments.
Comments
Please log in or register to join the discussion