DAPSSADAPSSA

ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket

By DAPSSA AI Desk | 2026-03-02
ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket

Overview

A critical security flaw, dubbed ClawJacked, was disclosed in the OpenClaw AI platform. The vulnerability allowed a hostile web page to open a WebSocket connection to the OpenClaw gateway running on a user’s machine and take over the locally hosted AI agent. The issue was reported on 28 February 2026 and has since been patched by the OpenClaw development team.

Technical Details

  • Attack Vector: A malicious site could embed JavaScript that initiates a WebSocket handshake with the OpenClaw gateway listening on the default localhost port.
  • Root Cause: The gateway failed to enforce origin checks and did not require authentication for inbound WebSocket connections. Because the gateway runs as a privileged local service, any successful connection granted the attacker full control over the AI agent’s runtime.
  • Scope: The flaw resides in the core OpenClaw system itself—not in optional plugins, marketplace extensions, or user‑installed add‑ons. This means every default installation was potentially vulnerable.
  • Severity: Rated high by the OpenClaw security team, given the ease of exploitation (a single malicious web page) and the level of access granted (complete command over the AI agent).

Potential Impact

  • Data Exfiltration: An attacker could retrieve prompts, user inputs, or generated content from the AI agent.
  • Command Execution: The compromised agent could be instructed to perform actions on the host system, such as file manipulation or network calls.
  • Persistence: By modifying the agent’s configuration, an adversary could maintain long‑term foothold on the victim’s machine.
  • Reputation Damage: Organizations deploying OpenClaw in customer‑facing environments could face trust issues if the flaw were exploited.

Mitigation and Patch

OpenClaw released an emergency update that introduces the following safeguards:

  • Origin Validation: The gateway now verifies the Origin header of incoming WebSocket requests, rejecting any that do not match the local host.
  • Authentication Requirement: A token‑based authentication step is mandatory before establishing a WebSocket session.
  • Default Configuration Hardened: The out‑of‑box settings now disable remote WebSocket access unless explicitly enabled by the administrator.

Steps for users:

  1. Update Immediately – Download and install the latest OpenClaw release from the official website.
  2. Verify Patch Installation – Check the version number in the gateway UI; it should be ≥ 2.4.1 (the patch version).
  3. Review Network Policies – Ensure firewall rules block inbound connections to the OpenClaw port from external interfaces.
  4. Audit Logs – Look for any unexpected WebSocket handshake attempts in the gateway logs from the period before the patch.

Recommendations for Administrators

  • Enable TLS for the gateway to encrypt all traffic, even on localhost, reducing the risk of man‑in‑the‑middle attacks.
  • Restrict Browser Access – Use Content Security Policy (CSP) headers to limit which domains can embed OpenClaw resources.
  • Regularly Patch – Adopt a routine update cadence for OpenClaw and its dependencies.
  • Conduct Pen‑Testing – Simulate WebSocket‑based attacks to validate that the new controls are effective.

Conclusion

The ClawJacked vulnerability highlighted a fundamental oversight in OpenClaw’s default security posture: trusting any local WebSocket connection without verification. By promptly releasing a patch that enforces origin checks and authentication, OpenClaw mitigated the immediate threat. However, the incident underscores the importance of secure defaults, especially for AI platforms that run locally and interact with web browsers. Organizations should apply the update without delay and adopt the recommended hardening measures to safeguard their AI agents against similar attacks.

Join the Discussion