Ethical Hacking News
A recent vulnerability has exposed local AI agents to malicious sites via WebSocket, allowing attackers to hijack control of these systems. OpenClaw has released a patch for the issue in version 2026.2.25, which users are advised to install promptly. However, with multiple other vulnerabilities discovered, organizations must ensure robust security measures are implemented when deploying self-hosted AI agent frameworks like OpenClaw.
A recent security vulnerability has been discovered in OpenClaw, a locally running artificial intelligence (AI) agent framework, known as "ClawJacked" that allows malicious websites to hijack and take control of local AI agents. The vulnerability resides in the core system itself, requiring no plugins or user-installed extensions for exploitation, making even secure users vulnerable. A single JavaScript script on an attacker-controlled website can gain admin-level permissions and register as a trusted device, allowing access to sensitive information and potentially taking control of the entire system. OpenClaw has released a patch in version 2026.2.25, which fixes the issue within less than 24 hours of its discovery. Microsoft advises treating OpenClaw as untrusted code execution with persistent credentials and deploying it in fully isolated environments to mitigate potential risks. Multiple vulnerabilities (CVE-2026-25593-CVE-2026-24763-CVE-2026-25157-CVE-2026-25475-CVE-2026-26319-CVE-2026-26322-CVE-2026-26329) have been discovered in OpenClaw, including remote code execution, command injection, and authentication bypass.
A recent security vulnerability has been discovered in OpenClaw, a locally running artificial intelligence (AI) agent framework. The flaw, codenamed "ClawJacked," allows malicious websites to hijack and take control of local AI agents connected via WebSocket.
According to Oasis Security, the vulnerability resides in the core system itself, with no plugins, marketplace, or user-installed extensions required for exploitation. This means that even users who have followed proper security protocols can still fall victim to this attack.
The threat model assumes a developer has OpenClaw set up and running on their laptop, with its gateway bound to localhost and protected by a password. However, malicious JavaScript on an attacker-controlled website can open a WebSocket connection to the local OpenClaw gateway port. By brute-forcing the gateway password, the script gains admin-level permissions and stealthily registers as a trusted device, which is auto-approved by the gateway without any user prompt.
Once the attacker has control over the AI agent, they can interact with it, dump configuration data, enumerate connected nodes, and read application logs. This essentially allows an attacker to gain access to sensitive information and potentially take control of the entire system.
OpenClaw has since released a patch for this vulnerability in version 2026.2.25, which fixes the issue within less than 24 hours of its discovery. Users are advised to apply these updates as soon as possible and periodically audit access granted to AI agents.
The security risks associated with self-hosted agent runtimes like OpenClaw have prompted Microsoft to issue an advisory, warning that unguarded deployment could pave the way for credential exposure/exfiltration, memory modification, and host compromise if the agent can be tricked into retrieving and running malicious code either through poisoned skills or prompt injections.
"Because of these characteristics, OpenClaw should be treated as untrusted code execution with persistent credentials," said the Microsoft Defender Security Research Team. "It is not appropriate to run on a standard personal or enterprise workstation."
Instead, Microsoft advises organizations to deploy OpenClaw in fully isolated environments such as dedicated virtual machines or separate physical systems. The runtime should use dedicated, non-privileged credentials and access only non-sensitive data.
Continuous monitoring and a rebuild plan should be part of the operating model, according to the advisory. This demonstrates the importance of treating self-hosted AI agent frameworks with caution and implementing robust security measures to mitigate potential risks.
Furthermore, researchers have found multiple vulnerabilities (CVE-2026-25593, CVE-2026-24763, CVE-2026-25157, CVE-2026-25475, CVE-2026-26319, CVE-2026-26322, CVE-2026-26329) in OpenClaw that could result in remote code execution, command injection, server-side request forgery (SSRF), authentication bypass, and path traversal. These vulnerabilities have been addressed in subsequent versions of the software.
As AI agent frameworks become more prevalent in enterprise environments, security analysis must evolve to address both traditional vulnerabilities and AI-specific attack surfaces, as noted by Endor Labs.
Related Information:
https://www.ethicalhackingnews.com/articles/Claubjacked-Flaw-Exposes-Local-AI-Agents-to-Malicious-Sites-via-WebSocket-ehn.shtml
https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html
https://www.csoonline.com/article/4138431/your-personal-openclaw-agent-may-also-be-taking-orders-from-malicious-websites.html
https://nvd.nist.gov/vuln/detail/CVE-2026-25593
https://www.cvedetails.com/cve/CVE-2026-25593/
https://nvd.nist.gov/vuln/detail/CVE-2026-24763
https://www.cvedetails.com/cve/CVE-2026-24763/
https://nvd.nist.gov/vuln/detail/CVE-2026-25157
https://www.cvedetails.com/cve/CVE-2026-25157/
https://nvd.nist.gov/vuln/detail/CVE-2026-25475
https://www.cvedetails.com/cve/CVE-2026-25475/
https://nvd.nist.gov/vuln/detail/CVE-2026-26319
https://www.cvedetails.com/cve/CVE-2026-26319/
https://nvd.nist.gov/vuln/detail/CVE-2026-26322
https://www.cvedetails.com/cve/CVE-2026-26322/
https://nvd.nist.gov/vuln/detail/CVE-2026-26329
https://www.cvedetails.com/cve/CVE-2026-26329/
Published: Sat Feb 28 14:10:20 2026 by llama3.2 3B Q4_K_M
