Pierluigi Paganini
March 02, 2026
A high-severity vulnerability called ClawJacked in OpenClaw allowed malicious websites to brute-force and take control of local AI agent instances. Oasis Security discovered the flaw, which enabled silent data theft. OpenClaw addressed the issue with version 2026.2.26, released on February 26.
OpenClaw is an open-source AI agent framework that lets developers run autonomous AI assistants locally. It connects large language models to tools, browsers, and system resources, enabling task automation such as web interaction, data processing, and workflow execution on a user’s machine.
OpenClaw is built around a local WebSocket gateway that acts as the system’s brain, handling authentication, chat sessions, configuration, and coordination of the AI agent. Connected “nodes” (such as a macOS app, iOS device, or other machines) register with the gateway and can execute system commands or access device features. Because the gateway binds to localhost and assumes local traffic is trusted, this design creates a critical security weakness.
Oasis Security researchers uncovered a critical attack chain showing that a malicious website could fully hijack a locally running OpenClaw instance. If a developer had the OpenClaw gateway running on localhost and visited an attacker-controlled site, embedded JavaScript could silently open a WebSocket connection to the local gateway. Because browsers allow WebSocket connections to localhost and OpenClaw trusted local traffic, the connection was not blocked.
The gateway also exempted localhost from rate limiting, allowing attackers to brute-force the password at hundreds of guesses per second without triggering alerts. Once the password was guessed, the malicious script could automatically register as a trusted device, since local pairings required no user confirmation.
With authenticated access, attackers gained admin-level control. They could interact directly with the AI agent, extract configuration details, read logs, enumerate connected nodes, and potentially execute commands on linked devices. In practice, this meant full workstation compromise initiated from a simple browser visit, without any visible warning to the user.
“A developer has OpenClaw running on their laptop, with the gateway bound to localhost, protected by a password.” reads the report published by Oasis Security. “They’re browsing the web and accidentally land on a malicious website. That’s all it takes.
The full attack chain works like this:
Below is a video PoC of the attack:
Researchers responsibly disclosed the flaw to the OpenClaw team, the issue was rated high severity and patched in under 24 hours.
Organizations are urged to identify AI tools running on developer machines, as many may be deployed without IT oversight. Any OpenClaw instances should be updated immediately to version 2026.2.25 or later. Companies should also audit what permissions and credentials their AI agents hold, limiting access to only what is necessary.
Finally, experts stress the need for governance around AI agents as non-human identities. Since they can authenticate, store credentials, and act autonomously, they require strict policy controls, monitored access, and full audit trails—just like human users or service accounts.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ClawJacked)
