Full Report
OpenClaw has fixed a high-severity security issue that, if successfully exploited, could have allowed a malicious website to connect to a locally running artificial intelligence (AI) agent and take over control. "Our vulnerability lives in the core system itself – no plugins, no marketplace, no user-installed extensions – just the bare OpenClaw gateway, running exactly as documented," Oasis
Analysis Summary
# Vulnerability: ClawJacked – Cross-Origin WebSocket Hijacking in OpenClaw
## CVE Details
- **CVE ID**: Not explicitly listed in text (Referenced via Oasis Security and GHSA-g27f-9qjv-22pm for related log poisoning)
- **CVSS Score**: High (Estimated 8.1 - 8.8 based on description)
- **CWE**: CWE-1385 (Missing Origin Validation in WebSockets), CWE-307 (Improper Restriction of Excessive Authentication Attempts)
## Affected Systems
- **Products**: OpenClaw AI Gateway
- **Versions**: Core system versions prior to v2026.2.25
- **Configurations**: Default installations where the local WebSocket server is bound to localhost (even if password-protected).
## Vulnerability Description
The "ClawJacked" flaw arises from a failure in the OpenClaw gateway to validate the `Origin` header of incoming WebSocket connections. Because browsers allow JavaScript on any website to initiate WebSocket connections to `localhost` without traditional Cross-Origin Resource Sharing (CORS) restrictions, a malicious site can "call home" to the user's local AI agent.
The vulnerability is compounded by two core system flaws:
1. **Lack of Rate Limiting**: Allows a malicious script to brute-force the gateway password.
2. **Implicit Local Trust**: The gateway automatically approves new device registrations (attaching them as "trusted") if the request originates from `localhost`, bypassing the manual pairing prompts required for remote connections.
## Exploitation
- **Status**: PoC available (Reported by Oasis Security)
- **Complexity**: Low (Requires social engineering to bait a user to a website)
- **Attack Vector**: Network (Remote web-based attack targeting local services)
## Impact
- **Confidentiality**: High (Attacker can read application logs, dump config data, and interact with the agent)
- **Integrity**: High (Attacker can register as a trusted device and issue commands/modify nodes)
- **Availability**: Medium (Potential to disrupt agent operations or reconfigure services)
## Remediation
### Patches
- **v2026.2.25**: Released February 26, 2026. This version addresses the ClawJacked hijacking flaw.
- **v2026.2.13**: Released February 14, 2026 (Addresses the related log poisoning/indirect prompt injection flaw).
### Workarounds
- Ensure the OpenClaw gateway is not left running when browsing untrusted websites.
- Use browser extensions that block cross-origin private network requests.
## Detection
- **Indicators of Compromise**:
- Unexpected "trusted devices" appearing in the OpenClaw gateway configuration.
- Large volumes of failed authentication attempts in local logs (indicating brute-force).
- **Detection methods**: Audit OpenClaw access logs and periodically review the list of connected nodes/authorized identities.
## References
- **Vendor Advisory**: hxxps://github[.]com/openclaw/openclaw/releases/tag/v2026.2.25
- **Security Research**: hxxps://www[.]oasis[.]security/blog/openclaw-vulnerability
- **OpenClaw Security Advisory**: hxxps://github[.]com/openclaw/openclaw/security/advisories/GHSA-g27f-9qjv-22pm