Clawjacked Attack Let Malicious Websites Hijack Openclaw to Steal Data
Summary:
Security researchers at Oasis Security recently disclosed a critical vulnerability chain in OpenClaw, an increasingly popular open-source autonomous AI agent framework, codenamed “ClawJacked.” The flaw resides in the core OpenClaw gateway and allows a malicious website to silently hijack a locally running AI agent without any user interaction. The attack leverages the fact that the OpenClaw gateway binds to a local WebSocket server on localhost and, by default, exempts local connections from rate-limiting and certain authentication prompts. When a user visits a compromised or malicious website, background JavaScript can initiate a WebSocket connection to the local gateway, brute-force the password at hundreds of attempts per second, and register the attacker’s script as a "trusted device." Once authenticated, the attacker gains full operator-level access, enabling them to execute arbitrary terminal commands, exfiltrate sensitive API keys, read private logs, and manipulate the AI agent’s decision-making processes.
Security Officer Comments:
This vulnerability represents a significant "shadow AI" risk that directly impacts organizations across all sectors. Many developers and power users have begun deploying agentic AI tools like OpenClaw on their local workstations to automate complex workflows, often without formal IT approval or security review. Because these agents are designed to be highly empowered—holding persistent credentials for SaaS platforms and having the ability to execute shell commands—they effectively become "super-users" on the host machine. The "ClawJacked" flaw demonstrates that the traditional security boundary of localhost is insufficient when an application trusts local traffic implicitly. For our members, this means that a single employee browsing the web while an unpatched OpenClaw instance is running in the background could inadvertently grant a remote actor full access to their workstation and any connected corporate cloud environments. This is particularly concerning given the rise of "non-human identity" (NHI) risks, where the credentials stored by the AI agent lack the MFA and governance controls typically applied to human users.
Suggested Corrections:
The rapid adoption of tools like OpenClaw means many organizations already have instances running on developer machines, often without IT's knowledge. Here's Oasis security recommends:
1. Gain visibility into AI tooling. You can't secure what you can't see. Inventory which AI agents and assistants are running across your developer fleet. OpenClaw instances, local LLM servers, and similar tools represent a growing blind spot.
2. If OpenClaw is installed,update immediately. The fix for this vulnerability is included in version 2026.2.25 and later. Ensure all instances are updated - treat this with the same urgency as any critical security patch.
3. Review the access granted to AI agents. OpenClaw agents can hold API keys for AI providers, connect to messaging platforms, and execute system commands on connected devices. Audit what credentials and capabilities each instance has been granted, and revoke anything that isn't actively needed.
4. Establish governance for non-human identities. AI agents are a new class of identity in your organization - they authenticate, hold credentials, and take autonomous actions. They need to be governed with the same rigor as human users and service accounts. This means intent analysis (understanding what an agent action is trying to do before it happens), policy enforcement (deterministic guardrails that block dangerous actions and require human approval for sensitive operations), just-in-time access (short-lived, per-session, scoped only to the required task), and a full audit trail from human to agent to action to result. This is the problem that Oasis Security's Agentic Access Management platform was purpose-built to solve.
Link(s):
https://www.bleepingcomputer.com/ne...cious-websites-hijack-openclaw-to-steal-data/
Security researchers at Oasis Security recently disclosed a critical vulnerability chain in OpenClaw, an increasingly popular open-source autonomous AI agent framework, codenamed “ClawJacked.” The flaw resides in the core OpenClaw gateway and allows a malicious website to silently hijack a locally running AI agent without any user interaction. The attack leverages the fact that the OpenClaw gateway binds to a local WebSocket server on localhost and, by default, exempts local connections from rate-limiting and certain authentication prompts. When a user visits a compromised or malicious website, background JavaScript can initiate a WebSocket connection to the local gateway, brute-force the password at hundreds of attempts per second, and register the attacker’s script as a "trusted device." Once authenticated, the attacker gains full operator-level access, enabling them to execute arbitrary terminal commands, exfiltrate sensitive API keys, read private logs, and manipulate the AI agent’s decision-making processes.
Security Officer Comments:
This vulnerability represents a significant "shadow AI" risk that directly impacts organizations across all sectors. Many developers and power users have begun deploying agentic AI tools like OpenClaw on their local workstations to automate complex workflows, often without formal IT approval or security review. Because these agents are designed to be highly empowered—holding persistent credentials for SaaS platforms and having the ability to execute shell commands—they effectively become "super-users" on the host machine. The "ClawJacked" flaw demonstrates that the traditional security boundary of localhost is insufficient when an application trusts local traffic implicitly. For our members, this means that a single employee browsing the web while an unpatched OpenClaw instance is running in the background could inadvertently grant a remote actor full access to their workstation and any connected corporate cloud environments. This is particularly concerning given the rise of "non-human identity" (NHI) risks, where the credentials stored by the AI agent lack the MFA and governance controls typically applied to human users.
Suggested Corrections:
The rapid adoption of tools like OpenClaw means many organizations already have instances running on developer machines, often without IT's knowledge. Here's Oasis security recommends:
1. Gain visibility into AI tooling. You can't secure what you can't see. Inventory which AI agents and assistants are running across your developer fleet. OpenClaw instances, local LLM servers, and similar tools represent a growing blind spot.
2. If OpenClaw is installed,update immediately. The fix for this vulnerability is included in version 2026.2.25 and later. Ensure all instances are updated - treat this with the same urgency as any critical security patch.
3. Review the access granted to AI agents. OpenClaw agents can hold API keys for AI providers, connect to messaging platforms, and execute system commands on connected devices. Audit what credentials and capabilities each instance has been granted, and revoke anything that isn't actively needed.
4. Establish governance for non-human identities. AI agents are a new class of identity in your organization - they authenticate, hold credentials, and take autonomous actions. They need to be governed with the same rigor as human users and service accounts. This means intent analysis (understanding what an agent action is trying to do before it happens), policy enforcement (deterministic guardrails that block dangerous actions and require human approval for sensitive operations), just-in-time access (short-lived, per-session, scoped only to the required task), and a full audit trail from human to agent to action to result. This is the problem that Oasis Security's Agentic Access Management platform was purpose-built to solve.
Link(s):
https://www.bleepingcomputer.com/ne...cious-websites-hijack-openclaw-to-steal-data/