Security researchers at Oasis Security have disclosed a high‑severity vulnerability in the popular AI agent OpenClaw, dubbed ClawJacked, that allowed malicious websites to brute‑force access to locally running instances and silently take control.
What Happened
- Root cause: OpenClaw’s gateway service bound to localhost by default, exposing a WebSocket interface.
- Browser loophole: Cross‑origin policies don’t block WebSocket connections to localhost, enabling malicious sites to connect silently.
- Rate‑limit bypass: The loopback address (127.0.0.1) was exempt from throttling, allowing hundreds of password guesses per second.
- Automatic trust: Once authenticated, localhost device pairings were auto‑approved without user confirmation.
Impact
- Attackers could:
- Dump credentials and list connected nodes.
- Read application logs.
- Search messaging histories for sensitive data.
- Exfiltrate files or execute arbitrary shell commands.
- Full workstation compromise was possible — triggered simply by visiting a malicious website.
Why It Matters
- AI agent risk: OpenClaw’s popularity makes it a prime target for exploitation.
- Supply chain exposure: Threat actors have already abused the “ClawHub” skills repository to distribute malicious skills.
- Browser‑based attack vector: Users didn’t need to download malware — a single browser tab could trigger compromise.
The Fix
- Released in OpenClaw version 2026.2.26 (February 26).
- Tightened WebSocket security checks.
- Added protections against localhost brute‑force and auto‑approval abuse.
- Organizations are urged to update immediately.
Final Thought
ClawJacked highlights a critical lesson: localhost is not inherently safe. As AI agents like OpenClaw become central to workflows, attackers will exploit overlooked trust assumptions. For leaders, the takeaway is clear: treat AI platforms as high‑value assets, enforce strict authentication, and audit integrations continuously.
Leave a Reply