ClawJacked Attack Exploits OpenClaw AI Agent to Enable Local Takeover and Data Theft

By Azhar Khan
ClawJacked Attack Exploits OpenClaw AI Agent to Enable Local Takeover and Data Theft

A high-severity vulnerability dubbed “ClawJacked” was discovered in the OpenClaw AI agent platform, allowing malicious websites to hijack locally running instances of the tool. The flaw enabled attackers to silently brute-force a local gateway interface and gain unauthorized control over the AI agent, potentially leading to data exfiltration and system manipulation.

Overview of the Vulnerability

OpenClaw operates as a locally deployed AI agent platform that communicates through a gateway service, often exposed on localhost for browser-based interactions. Researchers found that the gateway lacked sufficient protections against cross-origin abuse and brute-force attempts initiated from malicious web pages.

The attack, named ClawJacked, exploited weaknesses in WebSocket authentication and insufficient rate limiting, allowing a remote website to:

  • Silently probe localhost services from a victim’s browser
  • Brute-force authentication tokens
  • Establish unauthorized WebSocket connections
  • Send commands to the local AI agent
  • Extract or manipulate sensitive data processed by the agent

How the Attack Works

The attack leverages a well-known browser behavior: while websites cannot directly read arbitrary local files, they can initiate network requests to services listening on 127.0.0.1 or localhost. If those services lack robust origin validation and authentication controls, they can be abused.

In this case:

  1. A victim visits a malicious website.
  2. The website’s JavaScript attempts connections to local ports commonly used by OpenClaw.
  3. Through repeated attempts, the script brute-forces weak or predictable authentication mechanisms.
  4. Once authenticated, the attacker gains command execution capabilities over the AI agent.

This technique effectively turns a browser into a proxy for attacking local services, bypassing traditional perimeter defenses.

Security Impact

If successfully exploited, ClawJacked could allow attackers to:

  • Steal sensitive data processed by the AI agent
  • Access cached credentials or API keys
  • Manipulate prompts or responses
  • Trigger automated workflows under the victim’s privileges
  • Pivot to additional local services

The risk is particularly significant in enterprise environments where AI agents integrate with SaaS platforms, internal documentation systems, development repositories, or privileged APIs.

Root Cause

The vulnerability stemmed from multiple security weaknesses:

  • Insufficient WebSocket origin validation
  • Lack of strict authentication enforcement
  • Missing brute-force protections
  • Inadequate localhost abuse prevention mechanisms

This highlights a broader security challenge for locally deployed AI tools: balancing ease of integration with secure communication boundaries.

Patch and Mitigation

Oasis Security responsibly disclosed the issue to OpenClaw, and the vendor released a patch in version 2026.2.26. The update includes:

  • Stricter WebSocket origin checks
  • Improved authentication validation
  • Protections against localhost brute-force attempts
  • Enhanced rate limiting

Users are strongly advised to upgrade immediately to mitigate exploitation risks.

Broader Implications for AI Security

The ClawJacked vulnerability underscores a growing attack surface introduced by local AI agents. As AI-powered tools increasingly run background services and expose local gateways for automation, they become attractive targets for browser-based exploitation techniques.

Organizations deploying AI agents should implement additional safeguards such as:

  • Restricting localhost service exposure
  • Enforcing strong authentication and token entropy
  • Applying network-level filtering
  • Monitoring unusual local service access attempts
  • Regularly updating AI software components

Conclusion

The ClawJacked flaw demonstrates how even locally running AI tools can be compromised through indirect web-based attack vectors. By tightening WebSocket validation and blocking brute-force abuse, OpenClaw has addressed the immediate vulnerability. However, the incident serves as a warning that AI infrastructure—especially tools bridging browsers and local services—must adopt rigorous security design principles to prevent silent takeovers and data theft.

Azhar Khan
Azhar Khan
Azhar is a seasoned Cybersecurity Professional with over 8 years of experience in Cybersecurity Research.