Security researchers have disclosed a high-severity vulnerability dubbed "ClawJacked" in the popular AI agent OpenClaw that allowed a malicious website to silently bruteforce access to a locally running instance and take control over it.

Oasis Security discovered the issue and reported it to OpenClaw, with a fix being released in version 2026.2.26 on February 26.

OpenClaw is a self-hosted AI platform that has recently surged in popularity for enabling AI agents to autonomously send messages, execute commands, and manage tasks across multiple platforms.

According to Oasis Security, the vulnerability is caused by the OpenClaw gateway service binding to localhost by default and exposing a WebSocket interface.

Because browser cross-origin policies do not block WebSocket connections to localhost, a malicious website visited by an OpenClaw user can use JavaScript to silently open a connection to the local gateway and attempt authentication without triggering any warnings.

While OpenClaw includes rate limiting to prevent brute-force attacks, the loopback address (127.0.0.1) is exempt by default, so local CLI sessions are not mistakenly locked out.

The researchers found that they could brute-force the OpenClaw management password at hundreds of attempts per second without failed attempts being throttled or logged. Once the correct password is guessed, the attacker can silently register as a trusted device, as the gateway automatically approves device pairings from localhost without requiring user confirmation.

"In our lab testing, we achieved a sustained rate of hundreds of password guesses per second from browser JavaScript alone," explains Oasis.

"At that speed, a list of common passwords is exhausted in under a second, and a large dictionary would take only minutes. A human-chosen password doesn't stand a chance."

With an authenticated session and admin permissions, the attacker can now interact directly with the AI platform, dumping credentials, listing connected nodes, stealing credentials, and reading application logs.

Oasis says this could allow an attacker to instruct the agent to search messaging histories for sensitive information, exfiltrate files from connected devices, or execute arbitrary shell commands on paired nodes, effectively resulting in full workstation compromise triggered from a browser tab.

Oasis shared a demonstration of this attack, showing how it could be used to steal sensitive data through the OpenClaw vulnerability.

Oasis reported the issue to OpenClaw, including technical details and proof-of-concept code, and it was fixed within 24 hours of disclosure.

The fix tightens WebSocket security checks and adds additional protections to prevent attackers from abusing localhost loopback connections to brute-force logins or hijack sessions, even if those connections are configured to be exempt from rate limiting.

Organizations and developers running OpenClaw should update to version 2026.2.26 or later immediately to prevent their installations from being hijacked.

With OpenClaw's massive popularity, security researchers have been focusing on identifying vulnerabilities and attacks targeting the platform.

Threat actors have been seen abusing the "ClawHub" OpenClaw skills repository to promote malicious skills that deploy infostealing malware or trick users into running malicious commands on their devices.