ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket
ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket
https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html
Publish Date: 2026-02-28 12:21:00
Source Domain: thehackernews.com
OpenClaw has fixed a high-severity security issue that, if successfully exploited, could have allowed a malicious website to connect to a locally running artificial intelligence (AI) agent and take over control.
“Our vulnerability lives in the core system itself – no plugins, no marketplace, no user-installed extensions – just the bare OpenClaw gateway, running exactly as documented,” Oasis Security said in a report published this week.
The flaw has been codenamed ClawJacked by the cybersecurity company.
The attack assumes the following threat model: A developer has OpenClaw set up and running on their laptop, with its gateway, a local WebSocket server, bound to localhost and protected by a password. The attack kicks in when the developer lands on an attacker-controlled website through social engineering or some other means.
The infection sequence then follows the steps below –
- Malicious JavaScript on the web page opens a WebSocket connection to localhost on the OpenClaw gateway port.
- The script brute-forces the gateway password by taking advantage of a missing rate-limiting mechanism.
- Post successful authentication with admin-level permissions, the script stealthily registers as a trusted device, which is auto-approved by the gateway without any user prompt.
- The attacker gains complete control over the AI agent, allowing them to interact with it, dump configuration data, enumerate connected nodes, and read application logs.
“Any website you visit can open one to your localhost. Unlike regular HTTP requests, the browser doesn’t block these cross-origin connections,” Oasis Security said. “So while you’re browsing any website, JavaScript running on that page can silently open a connection to your local OpenClaw gateway. The user sees nothing.”
“That misplaced trust has real consequences. The gateway relaxes several security mechanisms for local connections – including silently approving new device registrations without prompting the user. Normally, when…
