On February 26, 2026, Oasis Security disclosed ClawJacked — a high-severity vulnerability in OpenClaw’s core gateway that allowed any malicious website to silently hijack a locally running AI agent. OpenClaw patched it within 24 hours in version 2026.2.25.

If you’re running OpenClaw, update now. Here’s what happened and why it matters.

The Attack Chain

ClawJacked exploits a fundamental browser behavior: browsers don’t block cross-origin WebSocket connections to localhost. Unlike regular HTTP requests, there’s no same-origin policy protecting WebSocket handshakes. Any JavaScript running on any website can open a connection to your local OpenClaw gateway — and you’ll see nothing.

The full attack sequence:

  1. You visit a malicious website (via phishing, a compromised link, or even a malicious ad)
  2. JavaScript opens a WebSocket to localhost on the OpenClaw gateway port
  3. The script brute-forces the gateway password — no rate limiting existed to prevent this
  4. After authentication, it registers as a trusted device — the gateway auto-approved localhost connections without user confirmation
  5. Full agent control. The attacker can interact with your agent, dump configuration, enumerate connected nodes, and read logs

“That misplaced trust has real consequences,” Oasis Security wrote. “The gateway relaxes several security mechanisms for local connections — including silently approving new device registrations without prompting the user.”

Why This Is Serious

OpenClaw agents typically have broad access: file systems, shell commands, messaging platforms, API keys, browser sessions. An attacker who hijacks the agent effectively inherits all of those permissions. The blast radius scales with how much you’ve integrated.

This isn’t theoretical. Combined with the log poisoning vulnerability patched in v2026.2.13 (which allowed prompt injection via WebSocket-written log entries), an attacker could both control the agent and manipulate its reasoning.

What Was Fixed

Version 2026.2.25 addresses ClawJacked by:

  • Adding rate limiting to gateway authentication attempts
  • Requiring explicit user approval for all new device registrations, including localhost
  • Tightening WebSocket security for local connections

What You Should Do

1. Update Immediately

npm update -g openclaw
# or
pnpm update -g openclaw

Verify you’re on v2026.2.25 or later:

openclaw --version

2. Audit Your Connected Devices

Check what devices are registered with your gateway. Remove anything you don’t recognize.

3. Use a Strong Gateway Password

If you’re using a short or common password, change it. The brute-force attack worked because there was no rate limiting — but a strong password still matters as defense in depth.

4. Consider Network Restrictions

If you’re running OpenClaw on a shared network or a machine that browses the web:

  • Bind the gateway to a specific interface rather than all interfaces
  • Use firewall rules to restrict access to the gateway port
  • Consider running OpenClaw on a dedicated machine (like a Mac mini) that doesn’t browse the web

5. Review Your Agent’s Permissions

This is a good reminder to audit what your agent can access. Apply the principle of least privilege:

  • Restrict file system access to specific directories
  • Use command allowlists instead of blocklists
  • Enable confirmation gates for destructive operations

The Bigger Pattern

ClawJacked is the fourth major vulnerability disclosed in OpenClaw in February 2026 alone, following:

  • CVE-2026-25253 — One-click RCE via Control UI (patched v2026.1.29)
  • CVE-2026-26322 — SSRF via unchecked URLs (patched v2026.2.14)
  • CVE-2026-27008 — Arbitrary file write (patched v2026.2.14)
  • Log poisoning — Prompt injection via WebSocket logs (patched v2026.2.13)

This level of scrutiny is actually healthy for the project. With 190K+ GitHub stars and growing enterprise adoption, OpenClaw is getting the security attention it needs. Every patch makes the ecosystem more resilient.

But it also reinforces a critical point: AI agents with broad system access are high-value targets. Treat your OpenClaw deployment with the same security rigor you’d apply to a production server.

For a comprehensive hardening guide, see our post on setting up guardrails for your OpenClaw agent. For the full February security timeline, see our February 2026 security roundup. Also read our complete security guide for the full picture of OpenClaw’s security model.