A vulnerability named ClawJacked lets malicious websites hijack the OpenClaw AI platform.
The flaw enables attackers to brute‑force the local gateway password from a browser, gain admin control, and exfiltrate data, raising severe risk for enterprises using OpenClaw.
Oasis Security discovered the issue and reported it to OpenClaw. OpenClaw released a patch in version 2026.2.26 on February 26.
The OpenClaw gateway binds to localhost and exposes a WebSocket interface. Browser cross‑origin policies do not block WebSocket connections to localhost, allowing a visited site to open a connection silently.
OpenClaw exempts the loopback address from rate limiting. The gateway accepts unlimited authentication attempts from local JavaScript.
The gateway does not log failed authentication attempts from localhost. This omission prevents operators from detecting brute‑force activity. In our lab testing, we achieved a sustained rate of hundreds of password guesses per second from browser JavaScript alone,” said Oasis.
At that speed, a list of common passwords is exhausted in under a second, and a large dictionary would take only minutes. A human‑chosen password doesn’t stand a chance,” said Oasis.
After a successful login, the attacker can register as a trusted device without user confirmation. The gateway automatically approves device pairings from the loopback address.
An attacker can therefore register a trusted device without prompting the user. The attacker can then dump credentials, list connected nodes, read logs, and execute shell commands on paired devices. Such actions can expose messaging histories, steal files, and compromise workstations from a single browser tab.
Oasis published a proof‑of‑concept video that shows data theft via the OpenClaw vulnerability. The patch tightens WebSocket security checks and re‑enables rate limiting for localhost connections. The fix adds additional protections to prevent attackers from abusing localhost loopback connections to brute‑force logins or hijack sessions.
OpenClaw recommends that users update to version 2026.2.26 or later immediately.
OpenClaw addressed the flaw within 24 hours of disclosure. The rapid response limited exposure for affected installations. Organizations running OpenClaw should apply the update without delay to prevent hijacking. Oasis Security classified the vulnerability as high severity.
The rating reflects the potential for full system compromise. OpenClaw’s popularity stems from its self‑hosted design and support for multi‑platform task automation.
The platform’s flexibility has driven rapid adoption among developers and enterprises. OpenClaw is a self‑hosted AI platform that allows agents to send messages, execute commands, and manage tasks across multiple services.
