好的,我现在需要帮用户总结这篇文章的内容。用户的要求是用中文总结,控制在100字以内,不需要特定的开头,直接写描述即可。 首先,我快速浏览文章内容。文章主要讲的是OpenClaw这个AI框架的一个高危漏洞,叫做ClawJacked。这个漏洞允许恶意网站劫持用户的AI代理,导致数据被盗。Oasis Security发现了这个漏洞,并且OpenClaw已经发布了补丁版本2026.2.26来修复这个问题。 接下来,我需要提取关键信息:漏洞名称、影响、发现者、修复版本以及可能的影响范围。同时,要保持语言简洁明了,不超过100字。 然后,我会组织这些信息,确保逻辑清晰。比如先说明漏洞名称和影响,接着提到发现者和修复措施,最后提醒用户更新版本。 最后检查字数是否符合要求,并确保没有使用任何不需要的开头词。 </think> OpenClaw框架因"ClawJacked"高危漏洞被恶意网站劫持,导致数据被盗。该漏洞允许攻击者通过WebSocket连接暴力破解本地网关密码并获取控制权。Oasis Security发现后已修复并发布补丁版本2026.2.26。 2026-3-2 09:42:34 Author: securityaffairs.com(查看原文) 阅读量:11 收藏
ClawJacked flaw exposed OpenClaw users to data theft
“ClawJacked” flaw let malicious sites hijack OpenClaw AI agents to steal data; patch released in version 2026.2.26.
A high-severity vulnerability called ClawJacked in OpenClaw allowed malicious websites to brute-force and take control of local AI agent instances. Oasis Security discovered the flaw, which enabled silent data theft. OpenClaw addressed the issue with version 2026.2.26, released on February 26.
OpenClaw is an open-source AI agent framework that lets developers run autonomous AI assistants locally. It connects large language models to tools, browsers, and system resources, enabling task automation such as web interaction, data processing, and workflow execution on a user’s machine.
OpenClaw is built around a local WebSocket gateway that acts as the system’s brain, handling authentication, chat sessions, configuration, and coordination of the AI agent. Connected “nodes” (such as a macOS app, iOS device, or other machines) register with the gateway and can execute system commands or access device features. Because the gateway binds to localhost and assumes local traffic is trusted, this design creates a critical security weakness.
Oasis Security researchers uncovered a critical attack chain showing that a malicious website could fully hijack a locally running OpenClaw instance. If a developer had the OpenClaw gateway running on localhost and visited an attacker-controlled site, embedded JavaScript could silently open a WebSocket connection to the local gateway. Because browsers allow WebSocket connections to localhost and OpenClaw trusted local traffic, the connection was not blocked.
The gateway also exempted localhost from rate limiting, allowing attackers to brute-force the password at hundreds of guesses per second without triggering alerts. Once the password was guessed, the malicious script could automatically register as a trusted device, since local pairings required no user confirmation.
With authenticated access, attackers gained admin-level control. They could interact directly with the AI agent, extract configuration details, read logs, enumerate connected nodes, and potentially execute commands on linked devices. In practice, this meant full workstation compromise initiated from a simple browser visit, without any visible warning to the user.
“A developer has OpenClaw running on their laptop, with the gateway bound to localhost, protected by a password.” reads the report published by Oasis Security. “They’re browsing the web and accidentally land on a malicious website. That’s all it takes.
The full attack chain works like this:
- The attacker then has full control. They can interact with the AI agent, dump configuration data, enumerate connected devices, and read logs.
- The victim visits any attacker-controlled (or compromised) website in their normal browser.
- JavaScript on the page opens a WebSocket connection to localhost on the OpenClaw gateway port (permitted becauseWebSocket connections to localhost are not blocked by cross-origin policies).
- The script brute-forces the gateway password at hundreds of attempts per second. The gateway’s rate limiter exempts localhost connections entirely.
- Once authenticated, the script silently registers as a trusted device. The gateway auto-approves device pairings from localhost with no user prompt.
Below is a video PoC of the attack:
Researchers responsibly disclosed the flaw to the OpenClaw team, the issue was rated high severity and patched in under 24 hours.
Organizations are urged to identify AI tools running on developer machines, as many may be deployed without IT oversight. Any OpenClaw instances should be updated immediately to version 2026.2.25 or later. Companies should also audit what permissions and credentials their AI agents hold, limiting access to only what is necessary.
Finally, experts stress the need for governance around AI agents as non-human identities. Since they can authenticate, store credentials, and act autonomously, they require strict policy controls, monitored access, and full audit trails—just like human users or service accounts.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ClawJacked)
如有侵权请联系:admin#unsafe.sh