Full Report
Security researchers have disclosed a high-severity vulnerability dubbed "ClawJacked" in the popular AI agent OpenClaw that allowed a malicious website to silently bruteforce access to a locally running instance and take control over it. [...]
Analysis Summary
# Vulnerability: Silent Brute-Force Takeover of Local OpenClaw Instances via Malicious Websites
## CVE Details
- CVE ID: Not explicitly disclosed in the provided text. (Placeholder: CVE-2026-XXXXX)
- CVSS Score: High-severity (Specific score not provided, but context implies high)
- CWE: Likely related to Improper Access Control and/or Authentication Bypass (e.g., CWE-287, CWE-307)
## Affected Systems
- Products: OpenClaw AI agent
- Versions: Prior to 2026.2.26
- Configurations: Instances where the OpenClaw gateway service is running and bound to localhost (default configuration).
## Vulnerability Description
The vulnerability, dubbed "ClawJacked," stems from the OpenClaw gateway service exposing a WebSocket interface bound to `localhost` (127.0.0.1) by default. Browser cross-origin policies do **not** block WebSocket connections to `localhost`. This allows a malicious website visited by an authenticated OpenClaw user to silently open a connection to the local gateway via JavaScript.
Crucially, the default configuration exempts the loopback address (`127.0.0.1`) from rate-limiting protections. Researchers were able to brute-force the management password at hundreds of attempts per second without throttling or logging failures. Successful authentication allows the attacker to silently register as a trusted device (as localhost connections are automatically approved) and gain full administrative control over the local AI agent instance.
## Exploitation
- Status: PoC available (Demonstration shared by researchers)
- Complexity: Low (Exploitable via a single browser visit)
- Attack Vector: Network (User must visit a malicious website while the local application is running)
## Impact
- Confidentiality: High (Ability to leak credentials, read application logs, search messaging histories)
- Integrity: High (Ability to execute arbitrary shell commands on paired nodes, effectively leading to full workstation compromise)
- Availability: Low (No direct denial of service described, but core functionality could be disrupted by unauthorized commands)
## Remediation
### Patches
- Version **2026.2.26** or later. The fix tightens WebSocket security checks and implements protections to prevent abuse of localhost loopback connections for brute-forcing or unauthorized session establishment, even outside of rate-limited controls.
### Workarounds
- No specific vendor workarounds were detailed, but the implicit recommendation is to update immediately. If immediate patching is impossible, restricting network access to the machine hosting the vulnerable OpenClaw instance might offer temporary control.
## Detection
- **Indicators of Compromise:** Unexpected device pairings registered to the local instance; unusual outbound network activity from the AI agent instructing data exfiltration or command execution; evidence of high-frequency connection attempts targeting the local WebSocket port (if logging is active).
- **Detection Methods and Tools:** Monitoring local network traffic/connection logs for repeated, unthrottled connection attempts to the OpenClaw gateway on the loopback interface, particularly those originating from browser processes.
## References
- Vendor Advisory: OpenClaw (Fix released Feb 26, 2026)
- Research/PoC: Oasis Security Blog (Defanged URL: hXXps://www.oasis.security/blog/openclaw-vulnerability)