ClawJacked: When Your AI Assistant Becomes Someone Else's Weapon

CybrPulse

01 Mar 2026 — 4 min read

Published: March 1, 2026

CVE: CVE-2026-25253 (CVSS 8.8)

Fixed: OpenClaw v2026.2.25 (February 26, 2026)

You're browsing documentation on a developer forum. Maybe reviewing a GitHub issue. Nothing unusual. Behind the scenes, JavaScript on that page opens a silent WebSocket connection to localhost. Within seconds, it brute-forces your OpenClaw gateway password, registers as a trusted device without prompting you, and gains full control over your AI agent.

That's ClawJacked. A high-severity vulnerability in OpenClaw that turned a routine web visit into complete AI agent compromise.

The Technical Reality

OpenClaw runs a local WebSocket server on your machine - the "gateway" that handles authentication and routing. The vulnerability exploited three design assumptions that sounded reasonable in isolation but became dangerous together:

1. Localhost connections are trusted

The gateway treated connections from 127.0.0.1 as inherently safer than remote connections. New device registrations from localhost were auto-approved without user confirmation. Under normal circumstances, only your local applications talk to localhost. But browsers don't enforce the same origin policy for WebSocket connections the way they do for HTTP requests. Any website you visit can open a WebSocket to localhost.

2. Password brute-forcing had no rate limits

Authentication attempts weren't throttled. An attacker could hammer the gateway with password guesses as fast as the WebSocket connection allowed. For weak or default passwords, this took seconds.

3. Admin permissions were the default

Once authenticated, the connection immediately gained admin-level access to the agent. No privilege escalation required. Full control: read configuration, enumerate connected devices, dump logs, issue commands to integrated services.

Oasis Security researchers proved the attack chain worked exactly as designed. Visit a malicious website. JavaScript executes silently. Your AI agent is now under attacker control while you're still reading the page.

Why This Matters Beyond OpenClaw

The ClawJacked vulnerability isn't just an OpenClaw problem. It exposes a fundamental tension in AI agent architecture: these systems need powerful permissions to be useful, but those permissions become catastrophic when compromised.

OpenClaw agents integrate with Slack, Gmail, GitHub, calendar systems, file storage, and internal APIs. Each integration extends the blast radius. A compromised agent doesn't just leak data - it can send emails as you, modify documents, approve pull requests, schedule meetings, and execute arbitrary commands across your digital infrastructure.

Microsoft's Defender Security Research Team issued an advisory treating OpenClaw deployments as "untrusted code execution with persistent credentials." Their recommendation: isolated VMs, dedicated non-privileged accounts, continuous monitoring, and a rebuild plan. That's enterprise security posture for what many developers run casually on their laptops.

The trust model breaks down in multiple places:

Agent-to-service trust: Services like Slack and Gmail see authenticated API calls from your agent and assume they're legitimate. No way to distinguish between you instructing your agent and an attacker puppeting it.

Agent-to-agent trust: Platforms like Moltbook enable AI agents to interact with each other. BobVonNeumann, a malicious agent documented by Straiker AI, promoted cryptocurrency scam skills directly to other agents, exploiting the expectation that agents operate in good faith.

User-to-agent trust: When your agent suggests an action based on "research" or log analysis, you assume it's acting on your behalf. Prompt injection attacks and log poisoning can manipulate that reasoning invisibly.

The Broader Attack Surface

ClawJacked was discovered amid a concentrated security analysis of the OpenClaw ecosystem. In the past month alone, researchers disclosed:

Log poisoning (fixed Feb 14): Attackers could inject malicious content into OpenClaw's logs via public WebSocket connections. When the agent read its own logs for troubleshooting, it interpreted the injected text as legitimate operational data, enabling indirect prompt injection.

Six additional CVEs from Endor Labs: Server-side request forgery (SSRF), authentication bypass, command injection, path traversal, and remote code execution vulnerabilities across versions 2026.1.x through 2026.2.x.

341 malicious ClawHub skills: Trend Micro and Koi Security identified skills distributing Atomic Stealer, a macOS infostealer. The infection chain hides inside normal-looking SKILL.md files with "prerequisite installation" instructions that fetch payloads from attacker infrastructure.

Agent-to-agent supply chain attacks: Threat actors create legitimate-looking skills (like "runware" for image generation) to build credibility, then distribute secondary malicious skills that steal cryptocurrency wallet keys and redirect funds.

Bitsight's research found over 21,000 publicly exposed OpenClaw instances within two weeks. Each one is a potential entry point. Each connected service multiplies the impact.

What Changed

OpenClaw fixed ClawJacked in less than 24 hours after responsible disclosure. Version 2026.2.25 implements:

Rate limiting on authentication attempts
User confirmation prompts for new device registrations, even from localhost
Graduated privilege model instead of default admin access
Stricter origin validation for WebSocket connections

The speed of the fix matters. But the vulnerability existing at all reflects how quickly AI agent frameworks outpaced security review. OpenClaw wasn't negligent - it followed standard localhost trust assumptions. Those assumptions just don't hold when JavaScript from any website can open local connections without browser-level protection.

The Security Debt of AI Agents

Agentic AI introduces non-human identities with privileged access across enterprise systems. Traditional security controls assume humans authenticate, make decisions, and can be held accountable. Agents operate continuously, make autonomous decisions, and lack accountability mechanisms.

Governance models haven't caught up. Most organizations don't have policies for:

What permissions agents can request
How agent actions are audited
Who's responsible when an agent acts maliciously
How to revoke agent credentials across integrated services

ClawJacked demonstrates what happens when that security debt compounds. A browser-based attack chain compromises localhost authentication, which grants admin permissions, which enables lateral movement across every integrated service.

The fix for this specific vulnerability is straightforward. The systemic problem is much harder. AI agents are designed for convenience and broad access. Security requires friction and least privilege. Balancing those forces while the technology evolves faster than security frameworks can adapt is the real challenge.

OpenClaw users should update immediately. But the lesson extends beyond one platform. Any system that combines persistent credentials, integrated service access, and autonomous decision-making under AI control needs to be treated as high-risk infrastructure, not development tooling.

Indicators:

CVE-2026-25253 (ClawJacked - WebSocket brute-force & device registration bypass)
CVE-2026-25593, CVE-2026-24763, CVE-2026-25157, CVE-2026-25475, CVE-2026-26319, CVE-2026-26322, CVE-2026-26329 (RCE, SSRF, auth bypass, path traversal)
Atomic Stealer distribution via malicious ClawHub skills
Attacker infrastructure: 91.92.242[.]30, openclawcli.vercel[.]app

Remediation:

Update to OpenClaw v2026.2.25 or later
Audit currently installed skills (especially from ClawHub)
Review agent permissions across integrated services
Enable logging and monitor for anomalous agent behavior
Run agents in isolated environments (VMs or dedicated systems) if handling sensitive data

Sources: