OpenClaw Security Vulnerabilities: What You Need to Know
OpenClaw recently addressed a critical security vulnerability that, if exploited, could have permitted a malicious website to gain unauthorized access to a locally running AI agent. This issue, identified by Oasis Security and dubbed “ClawJacked,” highlighted significant concerns regarding the core functionality of the OpenClaw system.
Understanding the Vulnerability
The vulnerability exists within the fundamental framework of OpenClaw—no third-party plugins or extensions were involved. According to Oasis Security, the flaw resides in the OpenClaw gateway, a local WebSocket server that is typically bound to localhost and secured with a password. The attack vector activates when a user visits an attacker-controlled site through social engineering or other manipulative approaches.
How the Attack Works
The attack unfolds in a series of steps that illustrate the seamless nature of the threat:
-
Malicious JavaScript Activation: The attack begins when harmful JavaScript on a visiting web page opens a WebSocket connection to the local OpenClaw gateway port.
-
Brute-Force Password Access: The script then exploits a lack of rate-limiting to attempt to brute-force the gateway’s password.
-
Unauthorized Device Registration: Once authenticated, the script auto-registers itself as a trusted device, a process that the OpenClaw gateway accepts without user intervention.
-
Full Control: This sequence grants the attacker comprehensive control over the AI agent, enabling them to access configuration data, enumerate connected nodes, and read application logs.
As Oasis Security noted, browsers do not block such cross-origin connections, allowing JavaScript from the visited site to connect to localhost without the user being aware.
Immediate Response and Action Steps
OpenClaw responded swiftly to the situation, rolling out a fix within 24 hours via version 2026.2.25, released on February 26, 2026. Users are strongly encouraged to update to the latest version immediately. Additionally, they should periodically review permissions granted to AI agents and put in place governance measures to manage non-human identities effectively.
Broader Security Concerns
This vulnerability emerges amid a heightened focus on the security landscape surrounding OpenClaw, mainly due to the vital role AI agents play within enterprise systems. These agents often have extensive access privileges, increasing the risk profile significantly if they are compromised.
Research from Bitsight and NeuralTrust has indicated that OpenClaw instances exposed to the Internet represent an enlarged attack surface. Each integrated service can broaden potential vulnerabilities, with risk escalation occurring through techniques like embedding malicious prompt injections within email or Slack messages processed by AI agents.
Additional Vulnerabilities and Addressed Issues
In the same reporting period, OpenClaw also addressed a log poisoning vulnerability. This issue allowed attackers to inject malicious content into log files via WebSocket requests directed at publicly accessible instances. When AI agents read their logs for troubleshooting, they could inadvertently execute malicious commands embedded within those logs.
Trends in Emerging Threats
Recent research revealed that OpenClaw is becoming a breeding ground for various vulnerabilities, with serious issues (CVE-2026-25593, CVE-2026-24763, among others) ranging from remote code execution to command injection. OpenClaw’s updates have addressed these vulnerabilities through multiple releases.
As AI frameworks become commonplace in business environments, experts emphasize the need for evolving security assessments to account for both conventional weaknesses and those unique to AI technologies.
Malicious Activities on ClawHub
Additionally, reports indicate concerning trends on ClawHub, an open marketplace for OpenClaw skills. Malicious scripts are being used to deliver harmful payloads, including a macOS information stealer known as Atomic Stealer. Analysts have challenged users to exercise caution, especially regarding skills that appear innocuous but can lead to harmful outcomes.
For instance, certain uploads designed to look benign had hidden functionalities that redirected cryptocurrency transactions to wallets controlled by malicious actors. Others aimed to manipulate AI agents into making unsolicited modifications or executing harmful commands, raising alarms about the integrity of the entire ecosystem.
Conclusion: Cautious Engagement Needed
Given the recent incidents and findings, it’s crucial for OpenClaw users to maintain vigilance. Regular audits of installed skills, avoiding unnecessary credential sharing, and closely monitoring skill performance are key steps users should adopt. As emphasized by Microsoft, employing OpenClaw within an unguarded environment poses significant risks, necessitating careful management to avoid exposure and compromise.
For organizations looking to assess OpenClaw, it is advisable to consider isolated environments strictly for testing while following strict security protocols to safeguard sensitive data. Continuous monitoring and preparedness are essential in maintaining security integrity.
