A serious vulnerability in the open-source AI agent OpenClaw made it possible for arbitrary websites to take complete control of developers’ AI assistants without being noticed.
The vulnerability, dubbed ClawJacked, was discovered by Oasis Security and was located at the core of OpenClaw itself. No malicious plugins, extensions, or user interaction were required. The developers of OpenClaw classified the issue as high risk and released a security update within 24 hours.
OpenClaw is a self-hosted AI platform that has exploded in popularity in a short period of time. Within days, the project garnered over 100,000 stars on GitHub and became an integral part of the workflow for thousands of developers. The software runs locally on laptops and often has far-reaching access to messaging apps, calendars, development tools, and the underlying operating system. The AI agent can perform actions independently on behalf of the user, which makes the platform powerful but also risky.
The rapid rise of OpenClaw has already led to security issues. Recently, it was revealed that attackers exploited ClawHub, the community marketplace for OpenClaw skills, by distributing malicious skills on a large scale. This was a supply chain issue. The vulnerability discovered by Oasis is fundamentally different and also affects standard installations of OpenClaw.
Local gateway as central control point
At the heart of the architecture is a local gateway that communicates via WebSockets and is bound to localhost by default. This gateway handles authentication, manages sessions, stores configurations, and controls connected nodes. These nodes can be other devices and have extensive capabilities, including executing system commands and accessing sensitive data. Security assumes that local traffic is trustworthy.
That assumption turns out to be incorrect. Browsers do not block WebSocket connections to localhost via cross-origin restrictions. As a result, JavaScript on a malicious website can connect to the local OpenClaw gateway unnoticed, without the user noticing anything.
In addition, local connections are excluded from rate limiting. This exception is intended to avoid blocking local tools, but it makes it possible to try passwords without restriction. Researchers were able to perform hundreds of attempts per second from browser JavaScript, without logging or delay. This makes it possible to guess commonly used passwords almost instantly.
After successful authentication, an attacker can register as a trusted device, which is automatically approved for localhost connections. From that moment on, complete control over the AI agent is possible. Attackers can read configurations, inventory connected devices, view log files, and issue commands to the agent.
Complete takeover of the workstation
In practice, the agent can be used to search chat histories, exfiltrate files, or execute shell commands on connected devices. According to BleepingComputer, this amounts to a complete takeover of the workstation, caused by visiting a malicious website.
Oasis Security demonstrated the attack with a proof of concept and reported the issue with technical details to the OpenClaw team. Within 24 hours, a patch was released that tightens WebSocket security and limits trust in localhost connections. The fix is available from OpenClaw version 2026.2.26, and users are strongly advised to upgrade.
According to Oasis, the incident shows that AI agents are increasingly being deployed outside the view of IT departments, while having their own identities, credentials, and execution rights. As these types of tools become standard in development environments, the challenge shifts from adoption to governance and security. Organizations that fail to get a grip on this are at increasing risk.