ClawJacked: Critical OpenClaw Flaw Exposed Millions to Silent Takeover

Security researchers have disclosed a high-severity vulnerability dubbed “ClawJacked” in the widely used AI agent platform OpenClaw, which allowed malicious websites to silently brute-force their way into a locally running instance and seize full control, stealing credentials, executing commands, and exfiltrating files, all triggered from a single browser tab.

The vulnerability was discovered by Oasis Security, who reported it to OpenClaw developers. A patch was released in version 2026.2.26, within 24 hours of disclosure.

What Is OpenClaw?

OpenClaw is a self-hosted AI platform that has surged in popularity for enabling AI agents to autonomously send messages, execute commands, and manage tasks across multiple platforms. Its widespread adoption has made it an increasingly attractive target for security researchers and threat actors alike.

How the Attack Worked

The vulnerability stemmed from the OpenClaw gateway service binding to localhost by default and exposing a WebSocket interface. Critically, browser cross-origin policies, which normally prevent websites from making unauthorised connections, do not block WebSocket connections to localhost. This meant any malicious website visited by an OpenClaw user could use JavaScript to silently open a connection to the local gateway and attempt authentication without triggering any warnings whatsoever.

OpenClaw does include rate limiting to prevent brute-force attacks, but the loopback address (127.0.0.1) was exempt by default to avoid local command-line sessions being mistakenly locked out. Attackers exploited this exemption to devastating effect.

In lab testing, Oasis researchers achieved a sustained rate of hundreds of password guesses per second using browser JavaScript alone. At that speed, a list of common passwords is exhausted in under a second, and a large dictionary would fall in minutes. As Oasis put it plainly: a human-chosen password had no chance of surviving the assault.

Silent Takeover

Once the correct password was guessed, the attacker could silently register as a trusted device. The gateway automatically approved device pairings from localhost without requiring any user confirmation, meaning the compromise completed itself with zero visible footprint.

With an authenticated session and administrator permissions, an attacker could then interact directly with the AI platform: dumping credentials, listing connected nodes, reading application logs, instructing the agent to search messaging histories for sensitive data, exfiltrating files from connected devices, and executing arbitrary shell commands on paired nodes. The end result was effectively a full workstation compromise, initiated entirely from a browser tab.

Oasis shared a working demonstration of the attack, showing the complete chain from initial brute force to data exfiltration.

Fix and Response

Oasis reported the issue to OpenClaw along with technical details and proof-of-concept code. The fix arrived within 24 hours of disclosure. Version 2026.2.26 tightens WebSocket security checks and adds additional protections to prevent attackers from abusing localhost loopback connections to brute-force logins or hijack sessions, even when those connections are configured to be exempt from rate limiting.

All organisations and developers running OpenClaw are urged to update to version 2026.2.26 or later immediately.

A Growing Target

ClawJacked is not the only threat facing OpenClaw users. Threat actors have also been exploiting the platform’s “ClawHub” skills repository, a marketplace for community-built OpenClaw extensions, to promote malicious skills that deploy information-stealing malware or trick users into running harmful commands on their devices.

As OpenClaw’s popularity continues to grow, so does the scrutiny it attracts. Security researchers warn that self-hosted AI platforms represent an expanding attack surface that demands the same rigorous security standards applied to any internet-facing infrastructure.