A single browser tab — no malware download, no phishing link, no suspicious attachment — was all it took to hand an attacker full control of a victim’s AI agent.
That is the core finding from security firm Oasis Security, which disclosed a high-severity vulnerability in OpenClaw, a self-hosted AI platform increasingly used to let AI agents autonomously send messages, execute commands, and manage tasks across multiple systems. The flaw, named “ClawJacked,” allowed any malicious website to silently brute-force its way into a locally running OpenClaw instance and seize administrative control without the user ever knowing something was wrong.
The vulnerability traces back to how OpenClaw’s gateway service operates by default. The service binds to localhost and exposes a WebSocket interface — a common architectural choice, but a dangerous one here. Browser cross-origin policies, the standard mechanism that prevents websites from making unauthorized requests to other domains, do not apply to WebSocket connections targeting localhost. That gap meant any website a user visited could instruct their browser’s JavaScript engine to quietly open a connection to the local OpenClaw gateway and begin attempting authentication.
Normally, rate limiting would blunt this kind of attack. OpenClaw does implement it — but with a critical exception. The loopback address, 127.0.0.1, is exempt by default to avoid locking out legitimate local CLI sessions. That same exemption gave attackers an unrestricted runway. Oasis researchers found they could attempt hundreds of password guesses per second from browser JavaScript alone, with no throttling and no logging of failed attempts.
The math is brutal. At that speed, a list of common passwords is exhausted in under a second. A large dictionary falls in minutes. As Oasis put it directly: “A human-chosen password doesn’t stand a chance.”
Once the correct password is found, the attack enters its second, more dangerous phase. OpenClaw’s gateway automatically approves device pairings originating from localhost without requiring any user confirmation. That means an attacker who cracks the password can silently register as a trusted device and gain full administrative access. From there, the platform itself becomes the weapon. With admin permissions and a direct line into the AI agent, an attacker can dump credentials, read application logs, search messaging histories for sensitive information, exfiltrate files from connected devices, or execute arbitrary shell commands on paired nodes. The result is effectively complete workstation compromise — initiated from nothing more than a browser tab.
More Read
Oasis reported the vulnerability to OpenClaw along with technical details and proof-of-concept code. A fix landed within 24 hours of disclosure. Version 2026.2.26, released February 26, tightens WebSocket security checks and closes the loophole that allowed localhost connections to bypass rate limiting and session protections. Anyone running OpenClaw should treat this update as non-negotiable.
The ClawJacked disclosure arrives against a broader backdrop of scrutiny targeting the platform. Threat actors have separately been exploiting OpenClaw’s “ClawHub” skills repository — the platform’s equivalent of an app store — to distribute malicious skills that deploy infostealing malware or manipulate users into executing dangerous commands. OpenClaw’s rapid rise in popularity has made it a high-value target. The attack surface is expanding as fast as the user base.
Source: Original reporting
