OpenClaw security vulnerability lets malicious websites hijack AI agents in 'ClawJacked' attack

'A human-chosen password doesn't stand a chance': OpenClaw has yet another major security flaw -- here's what we know about "ClawJacked"

* Oasis security researchers find a high-severity flaw in OpenClaw AI agent * Exploit allowed malicious websites to brute-force local gateway authentication and gain full control * Vulnerability patched within 24 hours; users urged to upgrade to version 2026.2.25 or later OpenClaw, the vastly popular open source AI agent platform, was vulnerable to a high-severity flaw which allowed threat actors to steal sensitive data from target computers with relative ease, experts have warned. The bug was discovered by security researchers Oasis, and was patched following responsible disclosure. For those unfamiliar with OpenClaw, it is an AI agent that users install on their computers and interact with through a web dashboard or terminal. The tool connects to calendars, messaging apps, and can respond to emails, set up calendar events, and more. It is currently one of the most popular AI projects, with more than 100,000 stars on GitHub. Brute forcing the password But the very design of the tool left a gaping security hole which, according to Oasis, is relatively easy to exploit. It doesn't require a third-party addon, previous compromise, or anything of sorts. All the victim needs to do is visit a malicious website. "What we found is different. Our vulnerability lives in the core system itself -- no plugins, no marketplace, no user-installed extensions -- just the bare OpenClaw gateway, running exactly as documented," the researchers explained. Explaining how the bug works, Oasis says OpenClaw runs a local WebSocket server that handles authentication, and more. Nodes, such as companion apps and other machines, connect to the gateway, expose capabilities, run system commands, and access the camera (among other things). The gateway can dispatch commands to any connected node. Authentication is handled either via a token or a password, and the gateway binds to localhost by default. If a victim visits a malicious website, its JavaScript can open a WebSocket connection to localhost, brute-force the gateway password with ease, and authenticate as a fully trusted device. Once that happens, "the attacker then has full control," Oasis concluded. "They can interact with the AI agent, dump configuration data, enumerate connected devices, and read logs." A fix was deployed 24 hours after initial disclosure, and users are urged to upgrade their instances to version 2026.2.25 or later. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button! And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

OpenClaw Patch Prevents Malicious Websites From Hijacking AI Agents | PYMNTS.com

By completing this form, you agree to receive marketing communications from PYMNTS and to the sharing of your information with our sponsor, if applicable, in accordance with our Privacy Policy and Terms and Conditions. Attacks were enabled by developers simply browsing the web and accidentally landing on a malicious website, according to the post. Oasis discovered the vulnerability and reported it to the OpenClaw security team, which classified the vulnerability as high severity and pushed a fix within 24 hours, the post said. While there are over 1,000 fake plugins on OpenClaw's community marketplace, ClawHub, that are actually malicious, this incident involved a vulnerability in the AI agent's core system itself, per the post. "For many organizations, OpenClaw installations represent a growing category of shadow AI: developer-adopted tools that operate outside IT's visibility, often with broad access to local systems and credentials, and no centralized governance," Oasis said in the post. To mitigate the risk from attacks like this one, Oasis recommended in the post that organizations inventory the AI agents and assistants being used by their developers, immediately update OpenClaw, audit the credentials and capabilities granted to AI agents and revoke those that are not actively needed, and establish governance for non-human identities. "As AI agents become standard tools in every developer's workflow, the question isn't whether to adopt them, it's whether you can govern them," Oasis said in the post.