Ethical Hacking News
A critical vulnerability in the OpenClaw AI agent framework has been discovered, leaving users exposed to data theft and potential full workstation compromise initiated from a simple browser visit. The "ClawJacked" attack allows malicious websites to brute-force and take control of local AI agent instances, highlighting the need for robust governance around AI agents and strict policy controls.
A high-severity vulnerability, dubbed "ClawJacked," has been discovered in the open-source AI agent framework OpenClaw. The vulnerability allows malicious websites to brute-force and take control of local AI agent instances, potentially enabling silent data theft. The flaw exploits a critical security weakness in OpenClaw's design, which assumes local traffic is trusted and exempt from rate limiting. With authenticated access, attackers gain admin-level control, allowing them to interact directly with the AI agent, extract configuration details, and potentially execute commands on linked devices. OpenClaw has released a patch in version 2026.2.26 to address the ClawJacked vulnerability.
A high-severity vulnerability has been discovered in the popular open-source AI agent framework, OpenClaw. The issue, dubbed "ClawJacked," allows malicious websites to brute-force and take control of local AI agent instances, potentially enabling silent data theft.
Researchers from Oasis Security recently uncovered the flaw, which exploits a critical security weakness in OpenClaw's design. According to the report, the framework's local WebSocket gateway acts as the system's brain, handling authentication, chat sessions, configuration, and coordination of the AI agent. Connected "nodes" (such as a macOS app, iOS device, or other machines) register with the gateway and can execute system commands or access device features.
This design creates a critical security weakness, as the gateway binds to localhost and assumes local traffic is trusted, effectively exempting it from rate limiting. This allows attackers to brute-force the password at hundreds of guesses per second without triggering alerts. Once the password is guessed, the malicious script can automatically register as a trusted device, since local pairings required no user confirmation.
With authenticated access, attackers gain admin-level control, enabling them to interact directly with the AI agent, extract configuration details, read logs, enumerate connected nodes, and potentially execute commands on linked devices. In practice, this means full workstation compromise initiated from a simple browser visit, without any visible warning to the user.
The attack chain works as follows:
- The attacker then has full control. They can interact with the AI agent, dump configuration data, enumerate connected devices, and read logs.
- The victim visits any attacker-controlled (or compromised) website in their normal browser.
- JavaScript on the page opens a WebSocket connection to localhost on the OpenClaw gateway port (permitted because WebSocket connections to localhost are not blocked by cross-origin policies).
- The script brute-forces the gateway password at hundreds of attempts per second. The gateway's rate limiter exempts localhost connections entirely.
- Once authenticated, the script silently registers as a trusted device. The gateway auto-approves device pairings from localhost with no user prompt.
Below is a video PoC of the attack:
The ClawJacked flaw exposed OpenClaw users to data theft
OpenClaw is an open-source AI agent framework that lets developers run autonomous AI assistants locally. It connects large language models to tools, browsers, and system resources, enabling task automation such as web interaction, data processing, and workflow execution on a user's machine.
OpenClaw is built around a local WebSocket gateway that acts as the system's brain, handling authentication, chat sessions, configuration, and coordination of the AI agent. Connected "nodes" (such as a macOS app, iOS device, or other machines) register with the gateway and can execute system commands or access device features.
The gateway binds to localhost and assumes local traffic is trusted, effectively exempting it from rate limiting. This allows attackers to brute-force the password at hundreds of guesses per second without triggering alerts. Once the password is guessed, the malicious script can automatically register as a trusted device, since local pairings required no user confirmation.
With authenticated access, attackers gain admin-level control, enabling them to interact directly with the AI agent, extract configuration details, read logs, enumerate connected nodes, and potentially execute commands on linked devices. In practice, this means full workstation compromise initiated from a simple browser visit, without any visible warning to the user.
A developer running OpenClaw on their laptop, with the gateway bound to localhost, protected by a password, is at risk of falling victim to such an attack. All it takes for an attacker to hijack the local AI agent instance is visiting an attacker-controlled website in their normal browser.
The full attack chain works as follows:
- The attacker then has full control. They can interact with the AI agent, dump configuration data, enumerate connected devices, and read logs.
- The victim visits any attacker-controlled (or compromised) website in their normal browser.
- JavaScript on the page opens a WebSocket connection to localhost on the OpenClaw gateway port (permitted because WebSocket connections to localhost are not blocked by cross-origin policies).
- The script brute-forces the gateway password at hundreds of attempts per second. The gateway's rate limiter exempts localhost connections entirely.
- Once authenticated, the script silently registers as a trusted device. The gateway auto-approves device pairings from localhost with no user prompt.
To protect users, OpenClaw has released a patch in version 2026.2.26, addressing the ClawJacked vulnerability. Organisations are urged to identify AI tools running on developer machines and audit what permissions and credentials their AI agents hold, limiting access to only what is necessary.
Experts stress the need for governance around AI agents as non-human identities, since they can authenticate, store credentials, and act autonomously, requiring strict policy controls, monitored access, and full audit trails – just like human users or service accounts.
Stay informed about the latest security threats and breaches by following Pierluigi Paganini on Twitter: @securityaffairs and Facebook. Subscribe to the Security Affairs newsletter for regular updates on information security news.
Related Information:
https://www.ethicalhackingnews.com/articles/OpenClaw-AI-Agent-Framework-Vulnerable-to-High-Severity-ClawJacked-Attack-Leaving-Users-Open-to-Data-Theft-ehn.shtml
https://securityaffairs.com/188749/hacking/clawjacked-flaw-exposed-openclaw-users-to-data-theft.html
Published: Mon Mar 2 05:21:05 2026 by llama3.2 3B Q4_K_M
