Hackers Exploit OpenClaw Bug to Control AI Agent Cybersecurity experts have discovered a high-severity flaw named “ClawJacked” in the famous AI agent OpenClaw that allowed a malicious site bruteforce access silently to a locally running instance and take control.  Oasis Security found the issue and informed OpenClaw, a fix was then released in version 2026.2.26 on 26th February.  About OpenClaw OpenClaw is a self-hosted AI tool that became famous recently for allowing AI agents to autonomously execute commands, send texts, and handle tasks across multiple platforms. Oasis security said that the flaw is caused by the OpenClaw gateway service linking with the localhost and revealing a WebSocket interface.  Attack tactic  As cross-origin browser policies do not stop WebSocket connections to a localhost, a compromised website opened by an OpenClaw user can use Javascript to secretly open a connection to the local gateway and try verification without raising any alarms.  To stop attacks, OpenClaw includes rate limiting. But the loopback address (127.0.0.1) is excused by default. Therefore, local CLI sessions are not accidentally locked out.  OpenClaw brute-force to escape security  Experts discovered that they could brute-force the OpenClaw management password at hundreds of attempts per second without any failed attempts being logged. When the correct password is guessed, the hacker can silently register as a verified device, because the gateway autonomously allows device pairings from localhost without needing user info.  “In our lab testing, we achieved a sustained rate of hundreds of password guesses per second from browser JavaScript alone At that speed, a list of common passwords is exhausted in under a second, and a large dictionary would take only minutes. A human-chosen password doesn't stand a chance,” Oasis said.  The attacker can now directly interact with the AI platform by identifying connected nodes, stealing credentials, dumping credentials, and reading application logs with an authenticated session and admin access.  Attacker privileges According to Oasis, this might enable an attacker to give the agent instructions to perform arbitrary shell commands on paired nodes, exfiltrate files from linked devices, or scan chat history for important information. This would essentially result in a complete workstation compromise that is initiated from a browser tab.  Oasis provided an example of this attack, demonstrating how the OpenClaw vulnerability could be exploited to steal confidential information. The problem was resolved within a day of Oasis reporting it to OpenClaw, along with technical information and proof-of-concept code.

Hackers Exploit OpenClaw Bug to Control AI Agent #AI #ClawJacked #Data

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

👉 🎙️ buff.ly/x6gVIIw

@NetworkingNerd.net @DemitasseNZ.bsky.social @TechFieldDay.com @Microsoft.com #TFDRundown #AI #ITNews #Cybersecurity #Openclaw #Clawjacked

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

👉 🎙️ buff.ly/x6gVIIw

@NetworkingNerd.net @DemitasseNZ.bsky.social @TechFieldDay.com @Microsoft.com #TFDRundown #AI #ITNews #Cybersecurity #Openclaw #Clawjacked

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

👉 🎙️ buff.ly/x6gVIIw

@NetworkingNerd.net @DemitasseNZ.bsky.social @TechFieldDay.com @Microsoft.com #TFDRundown #AI #ITNews #Cybersecurity #Openclaw #Clawjacked

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

👉 🎙️ buff.ly/x6gVIIw

@NetworkingNerd.net @DemitasseNZ.bsky.social @TechFieldDay.com @Microsoft.com #TFDRundown #AI #ITNews #Cybersecurity #Openclaw #Clawjacked

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

👉 🎙️ buff.ly/x6gVIIw

@NetworkingNerd.net @DemitasseNZ.bsky.social @TechFieldDay.com @Microsoft.com #TFDRundown #AI #ITNews #Cybersecurity #Openclaw #Clawjacked

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

👉 🎙️ buff.ly/x6gVIIw

@NetworkingNerd.net @DemitasseNZ.bsky.social @TechFieldDay.com @Microsoft.com #TFDRundown #AI #ITNews #Cybersecurity #Openclaw #Clawjacked

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

👉 🎙️ buff.ly/x6gVIIw

@NetworkingNerd.net @DemitasseNZ.bsky.social @TechFieldDay.com @Microsoft.com #TFDRundown #AI #ITNews #Cybersecurity #Openclaw #Clawjacked

Tech Field Day News Rundown • A podcast on Spotify for Creators The Tech Field Day News Rundown is a weekly look at the IT news of the week. Hosted by Tom Hollingsworth, Alastair Cooke, and Stephen Foskett.

AI in Overdrive with Chips, Networks, and Robots | Tech Field Day News Rundown: March 4, 2026

👉 🎙️ buff.ly/x6gVIIw

@NetworkingNerd.net @DemitasseNZ.bsky.social @TechFieldDay.com @Microsoft.com #TFDRundown #AI #ITNews #Cybersecurity #Openclaw #Clawjacked

ClawJacked Flaw Exposes OpenClaw Users
Read More: buff.ly/bTWMCMG

#ClawJacked #OpenClaw #AIAgentSecurity #LocalAgentRisk #DataExfiltration #VulnerabilityAlert #PatchNow #DevSecurity

ClawJacked attack let malicious websites hijack OpenClaw to steal data Security researchers have disclosed a high-severity vulnerability dubbed "ClawJacked" in the popular AI agent OpenClaw that allowed a malicious website to silently bruteforce access to a locally running instance and take control over it. [...]

#ClawJacked attack let malicious websites hijack #OpenClaw to steal data

www.bleepingcomputer.com/news/security/clawjacked...

#cybersecurity #AI

ClawJack Allows Malicous Sites to Control Local OpenClaw AI Agents Peter Steinberger created OpenClaw, an AI tool that can be a personal assistant for developers. It immediately became famous and got 100,000 GitHub stars in a week. Even OpenAI founder Sam Altman was impressed, bringing Steinberger on board and calling him a “genius.” However, experts from Oasis Security said that the viral success had hidden threats. OpenClaw addressed a high-severity security threat that could have been exploited to allow a malicious site to link with a locally running AI agent and take control. According to the Oasis Security report, “Our vulnerability lives in the core system itself – no plugins, no marketplace, no user-installed extensions – just the bare OpenClaw gateway, running exactly as documented.”  ClawJack scare The threat was codenamed ClawJacked by the experts. CVE-2026-25253 could have become a severe vulnerability chain that would have allowed any site to hack a person’s AI agent. The vulnerability existed in the main gateway of the software. As OpenClaw is built to trust connections from the user’s system, it could have allowed hackers easy access.  Assuming the threat model On a developer's laptop, OpenClaw is installed and operational. Its gateway, a local WebSocket server, is password-protected and connected to localhost. When the developer visits a website that is controlled by the attacker via social engineering or another method, the attack begins. According to the Oasis Report, “Any website you visit can open one to your localhost. Unlike regular HTTP requests, the browser doesn't block these cross-origin connections. So while you're browsing any website, JavaScript running on that page can silently open a connection to your local OpenClaw gateway. The user sees nothing.” Stealthy Attack Tactic  The research revealed a smart trick using WebSockets. Generally, your browser is active at preventing different websites from meddling with your local files. But WebSockets are an exception as they are built to stay “always-on” to send data simultaneously.  The OpenClaw gateway assumed that the connection must be safe because it comes from the user's own computer (localhost). But it is dangerous because if a developer running OpenClaw mistakenly visits a malicious website, a hidden script installed in the webpage can connect via WebSocket and interact directly with the AI tool in the background. The user will be clueless.

ClawJack Allows Malicous Sites to Control Local OpenClaw AI Agents #AI #ClawJacked #OpenAI

ClawJacked Vulnerability in OpenClaw Could Let Websites Hijack AI Agents Follow us on all social media @Hackread

A critical vulnerability in OpenClaw, dubbed #ClawJacked, could let malicious websites hijack AI agents running on a developer’s machine via a simple browser tab.

#CyberSecurity #AI #OpenClaw #Vulnerability #infosec

Read: hackread.com/openclaw-vul...