National Cyber Warfare Foundation (NCWF)


Warning: Undefined array key "PeopleID" in /var/www/html/includes/libUser.php on line 492

ClawJacked flaw exposed OpenClaw users to data theft
0 user ratings		2026-03-02 10:37:50
milo
Blue Team (CND)
“ClawJacked” flaw let malicious sites hijack OpenClaw AI agents to steal data; patch released in version 2026.2.26. A high-severity vulnerability called ClawJacked in OpenClaw allowed malicious websites to brute-force and take control of local AI agent instances. Oasis Security discovered the flaw, which enabled silent data theft. OpenClaw addressed the issue with version 2026.2.26, released […


“ClawJacked” flaw let malicious sites hijack OpenClaw AI agents to steal data; patch released in version 2026.2.26.





A high-severity vulnerability called ClawJacked in OpenClaw allowed malicious websites to brute-force and take control of local AI agent instances. Oasis Security discovered the flaw, which enabled silent data theft. OpenClaw addressed the issue with version 2026.2.26, released on February 26.





OpenClaw is an open-source AI agent framework that lets developers run autonomous AI assistants locally. It connects large language models to tools, browsers, and system resources, enabling task automation such as web interaction, data processing, and workflow execution on a user’s machine.





OpenClaw is built around a local WebSocket gateway that acts as the system’s brain, handling authentication, chat sessions, configuration, and coordination of the AI agent. Connected “nodes” (such as a macOS app, iOS device, or other machines) register with the gateway and can execute system commands or access device features. Because the gateway binds to localhost and assumes local traffic is trusted, this design creates a critical security weakness.





Oasis Security researchers uncovered a critical attack chain showing that a malicious website could fully hijack a locally running OpenClaw instance. If a developer had the OpenClaw gateway running on localhost and visited an attacker-controlled site, embedded JavaScript could silently open a WebSocket connection to the local gateway. Because browsers allow WebSocket connections to localhost and OpenClaw trusted local traffic, the connection was not blocked.





The gateway also exempted localhost from rate limiting, allowing attackers to brute-force the password at hundreds of guesses per second without triggering alerts. Once the password was guessed, the malicious script could automatically register as a trusted device, since local pairings required no user confirmation.





With authenticated access, attackers gained admin-level control. They could interact directly with the AI agent, extract configuration details, read logs, enumerate connected nodes, and potentially execute commands on linked devices. In practice, this meant full workstation compromise initiated from a simple browser visit, without any visible warning to the user.





“A developer has OpenClaw running on their laptop, with the gateway bound to localhost, protected by a password.” reads the report published by Oasis Security. “They’re browsing the web and accidentally land on a malicious website. That’s all it takes.





The full attack chain works like this:






  • The attacker then has full control. They can interact with the AI agent, dump configuration data, enumerate connected devices, and read logs.




  • The victim visits any attacker-controlled (or compromised) website in their normal browser.




  • JavaScript on the page opens a WebSocket connection to localhost on the OpenClaw gateway port (permitted becauseWebSocket connections to localhost are not blocked by cross-origin policies).




  • The script brute-forces the gateway password at hundreds of attempts per second. The gateway’s rate limiter exempts localhost connections entirely.




  • Once authenticated, the script silently registers as a trusted device. The gateway auto-approves device pairings from localhost with no user prompt.





Below is a video PoC of the attack:











Researchers responsibly disclosed the flaw to the OpenClaw team, the issue was rated high severity and patched in under 24 hours.





Organizations are urged to identify AI tools running on developer machines, as many may be deployed without IT oversight. Any OpenClaw instances should be updated immediately to version 2026.2.25 or later. Companies should also audit what permissions and credentials their AI agents hold, limiting access to only what is necessary.





Finally, experts stress the need for governance around AI agents as non-human identities. Since they can authenticate, store credentials, and act autonomously, they require strict policy controls, monitored access, and full audit trails—just like human users or service accounts.





Follow me on Twitter: @securityaffairs and Facebook and Mastodon





Pierluigi Paganini





(SecurityAffairs – hacking, ClawJacked)



Source: SecurityAffairs
Source Link: https://securityaffairs.com/188749/hacking/clawjacked-flaw-exposed-openclaw-users-to-data-theft.html

Comments
new comment
Nobody has commented yet. Will you be the first?
  
Forum
Blue Team (CND)


Copyright 2012 through 2026 - National Cyber Warfare Foundation - All rights reserved worldwide.