The **OpenClaw attack**, dubbed “ClawJacked”, allowed malicious websites to hijack OpenClaw and steal user data, highlighting a critical security vulnerability in the popular AI agent. Security researchers at Oasis Security discovered the issue and reported it to OpenClaw, prompting a swift response with a fix released in version 2026.2.26 on February 26.
OpenClaw has experienced a surge in popularity as a self-hosted AI platform. It enables AI agents to autonomously send messages, execute commands, and manage tasks across various platforms. The vulnerability allowed attackers to potentially access sensitive information and execute commands on connected devices.
Understanding the ClawJacked Vulnerability
According to Oasis Security, the vulnerability stems from the OpenClaw gateway service binding to localhost by default and exposing a WebSocket interface. This means that a malicious website visited by an OpenClaw user can exploit browser cross-origin policies. It can silently open a connection to the local gateway and attempt authentication without raising any alarms.
While OpenClaw includes rate limiting to prevent brute-force attacks, the loopback address (127.0.0.1) is exempt by default. This exemption, intended to prevent local CLI sessions from being mistakenly locked out, inadvertently created a significant security loophole.
“A human-chosen password doesn’t stand a chance.”
The researchers demonstrated that they could brute-force the OpenClaw management password at hundreds of attempts per second without triggering throttling or logging. Once the correct password is guessed, the attacker can register as a trusted device. The gateway automatically approves device pairings from localhost without requiring user confirmation.
Potential Impact of the OpenClaw Attack
With an authenticated session and admin permissions, an attacker gains direct access to the AI platform. This access allows them to dump credentials, list connected nodes, steal credentials, and read application logs. The **OpenClaw attack** could enable malicious actors to instruct the agent to search messaging histories for sensitive information, exfiltrate files from connected devices, or execute arbitrary shell commands on paired nodes. This effectively results in full workstation compromise triggered from a browser tab.
Oasis Security provided a compelling demonstration of this attack. It showcased how the vulnerability could be exploited to steal sensitive data. The rapid response from OpenClaw in addressing the issue underscores the severity of the threat.
Mitigation and Prevention
The fix released by OpenClaw tightens WebSocket security checks. It also adds additional protections to prevent attackers from abusing localhost loopback connections to brute-force logins or hijack sessions. These protections are in place even if those connections are configured to be exempt from rate limiting.
Organizations and developers running OpenClaw should immediately update to version 2026.2.26 or later to prevent their installations from being hijacked. It’s also crucial to practice strong password hygiene and be wary of suspicious websites.
Given OpenClaw’s increasing adoption, security researchers are actively identifying vulnerabilities and attacks targeting the platform. This includes instances of threat actors abusing the “ClawHub” OpenClaw skills repository to promote malicious skills. These skills can deploy infostealing malware or trick users into running malicious commands on their devices. See more related Fraudulents news.
The discovery of the **OpenClaw attack** and the rapid response to patch it highlights the ongoing need for vigilance in the face of evolving cyber threats. Prioritizing security updates and adopting robust security practices are crucial steps in mitigating the risks associated with AI-powered platforms like OpenClaw. The incident serves as a stark reminder of the potential consequences of vulnerabilities in widely used software and the importance of proactive security measures.




