New research from security firm Oasis warns that popular AI agent OpenClaw is highly vulnerable to a website-based hijacking attack, allowing an attacker to take full control of a developer’s agent with no user interaction whatsoever.
The vulnerability (referred to as “ClawJacked”) was ethically disclosed to the developers prior to publication, but OpenClaw users will need to update to version 2026.2.25 or later to ensure it is safely patched out. The flaw in prior versions exploits the fact that trusted WebSocket connections to localhost do not rate-limit password attempts, allowing a malicious actor to potentially “brute force” their way into the OpenClaw gateway port.
AI agent potentially vulnerable to any malicious website it visits
OpenClaw has been a runaway success over roughly the past month, at least in terms of initial adoption numbers. It is now the default AI agent for hundreds of thousands of users worldwide, and was swiftly snapped up by OpenAI. Many of these users give it permission to autonomously access sensitive functions on their devices as it acts as a personal assistant for all manner of both workplace and daily life tasks.
But one of its key features, the ability to move itself through websites and internet search as it goes about its tasks, has also been exposing it to threat actors. The Oasis researchers document a vulnerability chain that can be initiated from any website the AI agent (or its user) visits, without users needing to interact in any way or being at all aware that they are being compromised.
The attack targets the OpenClaw “gateway” that essentially acts as the AI agent’s nerve center. The gateway is a local WebSocket server that treats connected devices and apps that it is authorized to give commands to as nodes. The gateway is bound to localhost by default, with the implicit assumption that it is trusted because it is accessing everything locally.
This trust is what the attack exploits. Hidden JavaScript on a malicious website the AI agent visits can quietly open a WebSocket connection to localhost on the OpenClaw gateway port, without being challenged by a cross-origin policy. This then grants the malicious script the ability to execute as many password guesses as it likes, without any rate or failure limits. Once the gateway is cracked, the script can silently register itself as one of the “trusted device” nodes in the network. From here the attacker is able to directly interact with the AI agent and give it commands, as well as dump the gateway configuration and enumerate all connected nodes. In their testing the researchers found that from browser JavaScript alone they were able to execute hundreds of password guesses per second and exhaust dictionary files in a matter of minutes, meaning that the standard human-set password would be extremely likely to be cracked in a fairly short amount of time.
In addition to ensuring OpenClaw is updated to the latest version ASAP, the security researchers recommend that organizations improve visibility into AI tooling by indexing all agents and assistants running. The full spectrum of OpenClaw access should also be reviewed, and governance policies specific to non-human entities should be considered.
Diana Kelley, Chief Information Security Officer at Noma Security, adds some further recommendations: “This research from Oasis Security’s research team is an important reminder that AI agents running on developer machines must be treated as highly privileged systems. The core issue was misplaced trust in local connections. “Local” does not automatically mean “safe.” As AI tools gain access to code, credentials, and automation workflows, security controls must be just as strong as those used for internet-facing systems. Organizations should review how their AI tools authenticate access, enforce rate limits, and require explicit user approval before granting control.”
“Shadow IT” graduating to even more concerning “shadow AI”
“Shadow IT,” or the ad hoc use of unapproved software and devices by employees, has plagued cybersecurity teams for years now. This problem is now mutating into “shadow AI,” something that creates an even bigger and more worrying range of threats.
OpenClaw is just one of the more popular and widely used examples, and this particular vulnerability is just one of many. Since the start of the year it is one of now eight documented CVEs ranked at least at moderate severity and with the possibility for either remote code execution, path traversal or authentication bypass. These collectively date back to OpenClaw 2026.1.20, released on January 20, and the several updates since have essentially been a string of security patches to address these issues.
The AI agent has also attracted more proactive malicious actors not waiting around for vulnerabilities to develop. A study conducted in February found over 1,000 malicious skills already uploaded to centralized repository ClawHub, most disguised as some sort of legitimate tool. Many people are also simply opening their own doors to attackers; a recent study from Bitsight found over 30,000 instances open to the public internet with just a quick Shodan search, something likely driven by a combination of naivete about security risks and an improper level of tech knowledge for something given this much access to personal accounts.
Mark McClain, Chief Executive Officer at SailPoint, notes that this is merely the beginning of what is sure to be a security trend with AI agents for years to come: “This incident should be a wake-up call for organizations to rethink their approach to identity security. As AI agents become more integrated into our systems, we need to treat them as first-class citizens in our security frameworks. This means applying the same rigor to agent identities as we do to human ones, with discovery, governance, access control, and continuous monitoring. The OpenClaw incident is not an isolated case, it’s a preview of what’s to come. Organizations must act now to close the gaps in their security posture before these vulnerabilities lead to widespread damage.”
