A serious security vulnerability named “ClawJacked” has been discovered in OpenClaw, a popular self-hosted AI agent platform. Security researchers revealed that malicious websites could secretly take control of a user’s locally running OpenClaw instance. This flaw allowed attackers to hijack the AI agent and potentially steal sensitive data. The discovery has raised significant concern within the cybersecurity community.

Corporate-style cybersecurity graphic showing AI platform hack and data theft risk related to ClawJacked vulnerability in OpenClaw.

The issue was identified by researchers at Oasis Security, who responsibly disclosed it to the OpenClaw team. According to their findings, simply visiting a malicious website could trigger the attack. No browser extensions, plugins, or additional software were required for exploitation. The attack could run silently in the background without alerting the user.

OpenClaw operates through a local gateway service that runs on the user’s machine. This gateway uses a WebSocket connection to communicate with the AI agent. Modern web browsers allow websites to initiate connections to local services. Attackers exploited this behavior to interact directly with the OpenClaw gateway.

Close-up of HTTPS browser address bar representing malicious website triggering localhost WebSocket exploit in ClawJacked vulnerability.

The primary weakness involved the gateway’s password protection system. Researchers found that attackers could repeatedly attempt password guesses using a brute-force method. Normally, systems block or slow down repeated login attempts to prevent this. However, localhost connections were not properly rate-limited in this case.

Because of this lack of restriction, attackers could test hundreds of passwords per second. Weak or commonly used passwords could be cracked in a short time. Once the correct password was discovered, full administrative access was granted. This meant the attacker gained complete control over the AI agent.

Cyber attacker attempting to access login credentials on a laptop screen symbolizing brute-force password attack in OpenClaw ClawJacked vulnerability.

Another critical issue was OpenClaw’s automatic approval of new devices from localhost. The system trusted local connections without requiring user confirmation. After successfully accessing the gateway, the malicious script could register itself as a trusted device. This allowed continued access without raising suspicion.

With administrative control, attackers could read logs and view connected integrations. They could potentially extract stored credentials or access private conversations from linked platforms. In certain configurations, they could even execute commands on connected systems. All of this activity could occur without visible warnings to the user.

Computer screen displaying software update progress bar representing OpenClaw security patch release fixing ClawJacked vulnerability.

Following responsible disclosure, OpenClaw released a security patch in version 2026.2.26 on February 26, 2026. The update strengthens WebSocket protections and enforces proper rate limiting on local connections. It also closes the loopholes that enabled brute-force and unauthorized device registration. Users are strongly advised to update immediately to remain protected against ClawJacked.

Stay alert, and keep your security measures updated!

Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news