Recently, security researchers at Oasis Security unveiled a significant vulnerability in the popular AI agent OpenClaw, named “ClawJacked.” This vulnerability allowed a malicious website to gain unauthorized access to a locally running instance of OpenClaw, potentially taking control over it without the user’s knowledge.

The flaw was promptly reported to OpenClaw, and a fix was swiftly rolled out in version 2026.2.26 on February 26.

OpenClaw, a self-hosted AI platform, has garnered substantial attention for its capability to empower AI agents in sending messages, executing commands, and managing tasks across various platforms.

According to Oasis Security, the vulnerability stemmed from the OpenClaw gateway service binding to localhost by default and exposing a WebSocket interface.

Due to browser cross-origin policies not blocking WebSocket connections to localhost, a malicious website visited by an OpenClaw user could exploit JavaScript to establish a connection with the local gateway and attempt authentication discreetly, evading detection.

While OpenClaw implemented rate limiting to thwart brute-force attacks, the loopback address (127.0.0.1) was exempt by default to prevent local CLI sessions from being inadvertently locked out.

The researchers found that they could conduct a brute-force attack on the OpenClaw management password at a rapid rate without throttling or logging failed attempts. Once the correct password was guessed, the attacker could register as a trusted device seamlessly, as the gateway automatically sanctioned device pairings from localhost without user consent.

Oasis elaborated, stating, “In our lab testing, we achieved a sustained rate of hundreds of password guesses per second from browser JavaScript alone. At that speed, a list of common passwords is exhausted in under a second, and a large dictionary would take only minutes. A human-chosen password doesn’t stand a chance.”

With an authenticated session and admin privileges, the attacker could directly interact with the AI platform, potentially extracting credentials, listing connected nodes, pilfering data, and reviewing application logs.

This exploit could enable an attacker to instruct the agent to scour messaging histories for sensitive data, extract files from connected devices, or execute arbitrary shell commands on paired nodes, culminating in a complete workstation compromise triggered from a simple browser tab.

Oasis also provided a demonstration of this attack, showcasing how sensitive data could be illicitly obtained through the OpenClaw vulnerability.

Upon receiving the report from Oasis, OpenClaw promptly addressed the issue, enhancing WebSocket security checks and implementing additional safeguards to thwart attackers from leveraging localhost loopback connections to brute-force logins or hijack sessions, even if exempt from rate limiting.

Organizations and developers utilizing OpenClaw are urged to update to version 2026.2.26 or later immediately to safeguard their installations from potential hijacking attempts.

Due to OpenClaw’s widespread popularity, security researchers have intensified efforts to identify vulnerabilities and potential attacks targeting the platform.

Threat actors have been observed exploiting the “ClawHub” OpenClaw skills repository to propagate malicious skills that deploy infostealing malware or deceive users into executing malicious commands on their devices.