What is the ClawJacked vulnerability?

ClawJacked allows any website to silently hijack a locally running OpenClaw agent via WebSocket brute-force. Browser cross-origin policies don't block WebSocket connections to localhost.

How does the ClawJacked attack work?

A malicious website opens a WebSocket to localhost, brute-forces the gateway password (rate limiter exempts localhost), auto-approves device pairing, then gains full agent control including file access, shell, and APIs.

Is ClawJacked patched?

Yes, patched in OpenClaw v2026.2.26 within 24 hours of disclosure. Users on older versions remain vulnerable.

Who discovered ClawJacked?

Oasis Security researchers discovered and disclosed the vulnerability, which was covered by The Hacker News, BleepingComputer, SecurityAffairs, and logged by OECD.AI.

How serious is ClawJacked?

Very serious — it was the 4th major vulnerability in February 2026 alone, and requires no user interaction to exploit. Any visited website could take full control of a local OpenClaw instance.

← Back to dashboard

clawsmith.com/signal/clawjacked-openclaw-vulnerability-localhost-hijack

⚠ IssueUnknownSecurity AdvisoryLive

ClawJacked: any website can silently hijack local OpenClaw agents via WebSocket brute-force

Browser cross-origin policies don't block WebSocket connections to localhost. Any malicious website can brute-force the gateway password at hundreds of attempts/second (rate limiter exempts localhost) and take full agent control. Patched in v2026.2.26 within 24 hours.

Product Idea from this Signal

A network firewall that blocks WebSocket hijack attacks on local OpenClaw agents before malicious sites connect

900 ▲

Any website can silently connect to your local OpenClaw agent via WebSocket brute-force and steal data, execute commands, or exfiltrate credentials. The ClawJacked vulnerability (85K+ virality, CVSS 8.8-9.9) affects every default OpenClaw install running on localhost. Existing patches only cover specific CVEs while new WebSocket attack vectors keep appearing weekly. This tool runs as a local proxy between the browser and the OpenClaw gateway, validating every WebSocket connection against an allowlist of trusted origins, blocking unauthorized handshakes, and logging all connection attempts for forensic review.

SECURITYCLIDEVTOOLOPEN-SOURCE

CompetitiveView Opportunity →