CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

ClawJacked Flaw in OpenClaw Enables Local AI Agent Hijacking via WebSocket

First reported
Last updated
3 unique sources, 3 articles

Summary

Hide ▲

A high-severity vulnerability in OpenClaw, codenamed ClawJacked, allows malicious websites to hijack locally running AI agents through WebSocket connections. The flaw exploits missing rate-limiting and auto-approval of trusted devices, enabling attackers to take control of the AI agent. OpenClaw has released a fix in version 2026.2.25, urging users to update immediately and enforce strict governance controls. The vulnerability is caused by the OpenClaw gateway service binding to localhost by default and exposing a WebSocket interface, allowing attackers to brute-force the management password and gain admin-level permissions. Once authenticated, attackers can interact directly with the AI platform, dumping credentials, listing connected nodes, stealing credentials, and reading application logs. The fix tightens WebSocket security checks and adds additional protections to prevent attackers from abusing localhost loopback connections.

Timeline

  1. 28.02.2026 19:21 3 articles · 2d ago

    ClawJacked Flaw in OpenClaw Enables Local AI Agent Hijacking via WebSocket

    A high-severity vulnerability in OpenClaw, codenamed ClawJacked, allows malicious websites to hijack locally running AI agents through WebSocket connections. The flaw exploits missing rate-limiting and auto-approval of trusted devices, enabling attackers to take control of the AI agent. OpenClaw has released a fix in version 2026.2.25, urging users to update immediately and enforce strict governance controls. The vulnerability is caused by the OpenClaw gateway service binding to localhost by default and exposing a WebSocket interface, allowing attackers to brute-force the management password and gain admin-level permissions. Once authenticated, attackers can interact directly with the AI platform, dumping credentials, listing connected nodes, stealing credentials, and reading application logs. The fix tightens WebSocket security checks and adds additional protections to prevent attackers from abusing localhost loopback connections. The OpenClaw gateway acts as a local WebSocket server handling authentication, managing chat sessions, storing configuration, and orchestrating the AI agent. Nodes connected to the gateway can run system commands, access the camera, read contacts, and more. The gateway auto-approves device pairings from localhost with no user prompt.

    Show sources
    Open in new tab

Information Snippets

Similar Happenings

Six New OpenClaw Vulnerabilities Patched

OpenClaw has patched six new vulnerabilities in its agentic AI assistant, including server-side request forgery (SSRF), missing authentication, and path traversal bugs. The vulnerabilities range from moderate to high severity, with some lacking CVE IDs. The flaws affect various components, including the Gateway tool, Telnyx webhook authentication, and browser upload functionality. Endor Labs highlighted the importance of data flow analysis and defense-in-depth validation for AI agent infrastructure. The research also revealed ongoing security concerns, such as misconfigured instances exposed to the public internet and the risk of indirect prompt injection. One additional vulnerability remains unpatched, and major security concerns persist over OpenClaw's undocumented enterprise use.

Open in new tab

Infostealer Malware Targets OpenClaw Configuration Files

Infostealer malware has been observed stealing OpenClaw configuration files containing API keys, authentication tokens, and other sensitive secrets. This marks the first known instance of such attacks targeting the popular AI assistant framework. The stolen data includes configuration details, authentication tokens, and persistent memory files, which could enable full compromise of the victim's digital identity. The malware, identified as a variant of the Vidar infostealer, executed a broad file-stealing routine that scanned for sensitive keywords. Researchers predict increased targeting of OpenClaw as it becomes more integrated into professional workflows. Additionally, security issues with OpenClaw have prompted the maintainers to partner with VirusTotal to scan for malicious skills uploaded to ClawHub, establish a threat model, and add the ability to audit for potential misconfigurations.

Open in new tab

OpenClaw Security Concerns and AI Agent Exploits

OpenClaw, an AI agent platform, faces significant security concerns as attackers exploit its ecosystem. Malicious skills on ClawHub, a public skills registry, have been discovered, and threat actors are discussing the deployment of OpenClaw skills for botnet operations. The number of malicious packages on npm and PyPI with the name 'claw' has surged, providing new avenues for threat actors. Additionally, attackers are actively scanning exposed OpenClaw gateways, attempting prompt injection and command execution. These developments highlight the risks associated with AI agents' broad permissions and unsupervised deployment.

Open in new tab

341 Malicious ClawHub Skills Target OpenClaw Users with Atomic Stealer

A security audit by Koi Security identified 341 malicious skills on ClawHub, a marketplace for OpenClaw users, which distribute Atomic Stealer malware to steal sensitive data from macOS and Windows systems. The campaign, codenamed ClawHavoc, uses social engineering tactics to trick users into installing malicious prerequisites. The skills masquerade as legitimate tools, including cryptocurrency utilities, YouTube tools, and finance applications. OpenClaw has added a reporting feature and partnered with VirusTotal to scan skills uploaded to ClawHub, providing an additional layer of security for the OpenClaw community. The malware targets API keys, credentials, and other sensitive data, exploiting the open-source ecosystem's vulnerabilities. The campaign coincides with a report from OpenSourceMalware, highlighting the same threat. The intersection of AI agent capabilities and persistent memory amplifies the risks, enabling stateful, delayed-execution attacks. New findings reveal almost 400 fake crypto trading add-ons in the project behind the viral Moltbot/OpenClaw AI assistant tool can lead users to install information-stealing malware. These addons, called skills, masquerade as cryptocurrency trading automation tools and target ByBit, Polymarket, Axiom, Reddit, and LinkedIn. The malicious skills share the same command-and-control (C2) infrastructure, 91.92.242.30, and use sophisticated social engineering to convince users to execute malicious commands which then steals crypto assets like exchange API keys, wallet private keys, SSH credentials, and browser passwords.

Open in new tab

OpenClaw Token Exfiltration Vulnerability Enables One-Click RCE

A high-severity vulnerability (CVE-2026-25253, CVSS 8.8) in OpenClaw, an open-source AI assistant, allows remote code execution via a malicious link. The flaw enables token exfiltration and full gateway compromise. The issue was patched in version 2026.1.29 released on January 30, 2026. The vulnerability arises because the Control UI trusts the gatewayUrl parameter without validation, auto-connecting and sending the stored gateway token in the WebSocket connect payload. This allows an attacker to connect to the victim's local gateway, modify configurations, and execute privileged actions. OpenClaw integrates with various messaging platforms and has gained rapid popularity, with its GitHub repository crossing 149,000 stars. The vulnerability can be exploited to achieve one-click RCE by visiting a malicious web page, leveraging cross-site WebSocket hijacking due to the lack of origin header validation.

Open in new tab