https://www.oasis.security/blog/openclaw-vulnerability
OpenClaw has patched a high-severity security flaw nicknamed ClawJacked that could allow malicious websites to connect to and commandeer locally running AI agents through a WebSocket attack. The vulnerability, discovered by Oasis Security and disclosed in late February 2026, exploited fundamental weaknesses in the core OpenClaw gateway system itself without requiring any plugins, marketplace extensions, or user-installed components. The attack vector assumes a developer has OpenClaw running on their laptop with its gateway bound to localhost and protected by a password, then executes when the developer visits an attacker-controlled website through social engineering or other means, with malicious JavaScript on the page opening a WebSocket connection to the local OpenClaw gateway port and brute-forcing the password by exploiting the absence of rate-limiting for localhost connections.
Once the attacker successfully authenticates with admin-level permissions, the script stealthily registers as a trusted device, which the gateway auto-approves without any user prompt due to relaxed security mechanisms for local connections. This grants complete control over the AI agent, enabling attackers to interact with it, dump configuration data, enumerate connected nodes, and read application logs. Oasis Security noted that browsers do not block cross-origin WebSocket connections to localhost, allowing any website to silently open connections to local services while the user remains unaware. The misplaced trust in localhost connections has serious consequences, as the gateway normally requires user confirmation when new devices connect, but from localhost the pairing is automatic.
OpenClaw released a fix within 24 hours in version 2026.2.25 on 26th February 2026, following responsible disclosure..