A critical vulnerability dubbed “ClawJacked” has been discovered, allowing malicious websites to hijack OpenClaw agents and steal data, posing a significant threat to enterprises and developers relying on OpenClaw for autonomous messaging and task automation.
The flaw exposed self-hosted AI platforms to full workstation compromise. According to Oasis Security, the OpenClaw gateway service binds to localhost by default and exposes a WebSocket interface, making it vulnerable to exploitation.
Because browser cross-origin policies do not block WebSocket connections to localhost, a malicious site can open a silent connection to the local gateway. Oasis noted that the gateway exempts the loopback address from rate limiting, allowing brute-force attempts at hundreds of guesses per second without throttling or logs.
“In our lab testing, we achieved a sustained rate of hundreds of password guesses per second from browser JavaScript alone,” the researchers said, highlighting the severity of the vulnerability.
Once the correct password is guessed, the attacker registers as a trusted device and gains admin permissions. This enables credential dumping, node enumeration, log reading, and arbitrary shell command execution, giving attackers comprehensive control over the compromised system.
Oasis reported the issue to OpenClaw, and the vendor released a fix in version 2026.2.26 on February 26. The update sealed the WebSocket checks and re-applied rate limits to loopback connections, addressing the vulnerability.
Organizations running OpenClaw are advised to update to version 2026.2.26 or later immediately to prevent hijacking. OpenClaw is a self-hosted AI platform that lets agents autonomously send messages, execute commands, and manage tasks across multiple services. Its popularity has surged among developers seeking on-premise AI capabilities.
