A security flaw known as ClawJacked allowed malicious websites to hijack local OpenClaw AI agents to facilitate silent data extraction. Developers should update to version 2026.2.26 immediately to resolve this vulnerability and secure their local environments.
OpenClaw operates as an open-source framework designed to run autonomous AI assistants directly on a user's local hardware. By linking large language models to system resources and web browsers, it allows for the local execution of complex workflows and data processing tasks. The architecture relies on a central WebSocket gateway that coordinates various connected nodes, such as mobile devices or desktop applications, to perform system-level commands. Because the gateway was designed to trust all traffic originating from the local machine, it inadvertently created a pathway for external exploitation through simple web browsing.
The vulnerability discovered by Oasis Security stemmed from how the OpenClaw gateway handled local connections and authentication requests. When a user running the software visited a compromised website, embedded JavaScript could initiate a WebSocket connection to the local gateway without being blocked by standard browser security policies. Under normal circumstances, the gateway would be protected by a password, but the system specifically exempted local traffic from rate-limiting protocols. This allowed an attacker to rapidly brute-force credentials at a high frequency until access was granted.
Once the malicious script successfully guessed the password, it could register itself as a trusted device without requiring any manual confirmation from the user. This silent pairing process granted the attacker administrative control over the AI framework, bypassing the security measures intended to keep the local environment private. Because the gateway assumed that any request coming from the host machine was legitimate, it provided the attacker with the same level of authority as the primary user, all happening in the background of a standard browser session.
With this authenticated access, an external actor could interact with the AI agent to extract sensitive configuration details, read private logs, and identify other connected devices on the network. The exploit effectively turned a helpful productivity tool into a backdoor for workstation compromise, allowing for the unauthorized execution of commands and the theft of processed data. Since the attack required no visible interaction or warning signs, a developer could have their entire local AI ecosystem compromised just by landing on a malicious URL while the gateway was active.
Following the disclosure of the ClawJacked flaw, the OpenClaw team released a critical patch in version 2026.2.26 on February 26 to close these security gaps. The update addresses the underlying issues by implementing stricter authentication checks and removing the rate-limit exemptions for local traffic. Users are urged to verify their current version and update their local installations to prevent unauthorized access. This incident highlights the evolving security challenges faced by local AI deployments and the necessity of maintaining robust defense-in-depth strategies even for tools running on private machines.
Source: ClawJacked Vulnerability Exposed OpenClaw Users to Data Theft Risk