High-Severity "ClawJacked" Vulnerability Exposed OpenClaw AI Platform to Silent Takeover
Security researchers at Oasis Security uncovered a critical flaw, dubbed "ClawJacked," in the widely used OpenClaw AI agent, enabling attackers to silently brute-force access to locally running instances via a malicious website.
The vulnerability stemmed from OpenClaw’s gateway service binding to localhost by default, exposing a WebSocket interface that bypassed browser cross-origin protections. Since WebSocket connections to localhost are not blocked, a malicious site could use JavaScript to establish a connection and brute-force the management password at hundreds of attempts per second without triggering rate limits or logging failed attempts, as the loopback address (127.0.0.1) was exempt from throttling.
Once authenticated, attackers could register as a trusted device without user confirmation, gaining admin-level access to the AI platform. From there, they could dump credentials, exfiltrate files, execute shell commands on connected nodes, and search messaging histories for sensitive data, effectively compromising the entire workstation all from a single browser tab.
Oasis Security demonstrated the attack in a proof-of-concept, showing how quickly weak passwords could be cracked common passwords in under a second, and larger dictionaries in minutes. The flaw was reported and patched within 24 hours, with OpenClaw releasing version 2026.2.26 on February 26, which tightens WebSocket security and adds protections against localhost-based brute-forcing.
OpenClaw, a self-hosted AI platform gaining traction for its autonomous task execution across multiple services, has faced increased scrutiny from researchers and threat actors. Recent attacks have exploited the ClawHub skills repository to distribute malicious extensions, including infostealers and command-execution payloads. Organizations using OpenClaw are advised to update immediately to mitigate the risk of exploitation.
OpenClaw cybersecurity rating report: https://www.rankiteo.com/company/openclawai
"id": "OPE1772403877",
"linkid": "openclawai",
"type": "Vulnerability",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Users of self-hosted OpenClaw '
'instances',
'industry': 'Technology/AI',
'name': 'OpenClaw AI Platform',
'type': 'AI Software'}],
'attack_vector': 'Malicious Website (WebSocket Brute-Force)',
'customer_advisories': 'Users of self-hosted OpenClaw instances should update '
'to version 2026.2.26 to patch the ClawJacked '
'vulnerability.',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Likely (messaging '
'histories, '
'credentials)',
'sensitivity_of_data': 'High (PII, operational data)',
'type_of_data_compromised': ['Credentials',
'Files',
'Messaging histories',
'Sensitive data']},
'date_detected': '2026-02-25',
'date_publicly_disclosed': '2026-02-26',
'date_resolved': '2026-02-26',
'description': 'Security researchers at Oasis Security uncovered a critical '
"flaw, dubbed 'ClawJacked,' in the widely used OpenClaw AI "
'agent, enabling attackers to silently brute-force access to '
'locally running instances via a malicious website. The '
'vulnerability allowed admin-level access, credential dumping, '
'file exfiltration, shell command execution, and sensitive '
'data exposure.',
'impact': {'brand_reputation_impact': 'Increased scrutiny, potential loss of '
'trust',
'data_compromised': 'Credentials, files, messaging histories, '
'sensitive data',
'identity_theft_risk': 'High (PII exposure risk)',
'operational_impact': 'Full workstation compromise, unauthorized '
'admin access',
'systems_affected': 'OpenClaw AI platform (locally running '
'instances)'},
'investigation_status': 'Resolved',
'lessons_learned': 'Default localhost bindings can expose critical services '
'to silent brute-force attacks. Rate-limiting exemptions '
'for loopback addresses pose significant risks.',
'post_incident_analysis': {'corrective_actions': ['Tightened WebSocket '
'security',
'Added protections against '
'localhost brute-forcing',
'Released patch (version '
'2026.2.26)'],
'root_causes': ['OpenClaw gateway service binding '
'to localhost by default',
'WebSocket interface exposed '
'without cross-origin protections',
'Loopback address exempt from '
'rate-limiting',
'No logging of failed '
'authentication attempts on '
'localhost']},
'recommendations': ['Update OpenClaw to version 2026.2.26 immediately',
'Audit locally running services for exposed WebSocket '
'interfaces',
'Implement strict rate-limiting for all interfaces, '
'including localhost',
'Monitor for unauthorized device registrations',
'Review ClawHub skills repository for malicious '
'extensions'],
'references': [{'source': 'Oasis Security'}],
'response': {'communication_strategy': 'Public disclosure, advisory to update '
'immediately',
'containment_measures': 'Patch released (version 2026.2.26)',
'remediation_measures': 'Tightened WebSocket security, added '
'protections against localhost '
'brute-forcing',
'third_party_assistance': 'Oasis Security (researchers)'},
'stakeholder_advisories': 'Organizations using OpenClaw advised to update '
'immediately to mitigate exploitation risks.',
'title': 'ClawJacked Vulnerability in OpenClaw AI Platform',
'type': 'Vulnerability Exploitation',
'vulnerability_exploited': 'ClawJacked (CVE not specified)'}