How can OpenClaw users protect themselves from ClawJacked?

Users should immediately update to OpenClaw version 2026.2.25 or later, audit installed skills for malicious content, and avoid exposing agent runtimes to the public internet.

What are the broader implications of the ClawJacked incident?

The incident highlights the need for robust security measures in AI agent ecosystems, including regular updates, thorough vetting of third-party integrations, and heightened awareness of potential attack vectors.

ClawJacked: Critical Vulnerability in OpenClaw AI Agent Exposes Systems to Hijacking

Q: What is the ClawJacked vulnerability?

ClawJacked is a critical flaw in OpenClaw that allowed malicious websites to exploit its WebSocket interface, enabling unauthorized access and control over AI agents.

Discover how the ClawJacked flaw in OpenClaw allowed malicious websites to hijack AI agents via WebSocket, leading to potential data breaches, and learn about the steps taken to mitigate this critical vulnerability.

Published: March 1, 2026

Share this on:

Executive Summary

In February 2026, a critical vulnerability known as 'ClawJacked' was discovered in OpenClaw, a widely-used open-source AI agent. This flaw allowed malicious websites to exploit OpenClaw's WebSocket interface, enabling unauthorized access to locally running instances. Attackers could silently brute-force the gateway password, register as trusted devices, and gain full control over the AI agent, leading to potential data exfiltration and system compromise. OpenClaw promptly addressed the issue by releasing a patch in version 2026.2.25. (thehackernews.com)

The ClawJacked incident underscores the growing security challenges associated with autonomous AI agents. As these agents become more integrated into critical workflows, vulnerabilities like this highlight the urgent need for robust security measures, including regular updates, thorough vetting of third-party integrations, and heightened awareness of potential attack vectors. (prnewswire.com)

Why This Matters Now

The ClawJacked vulnerability highlights the pressing need for enhanced security protocols in AI agent ecosystems. As these agents gain widespread adoption, ensuring their integrity is crucial to prevent unauthorized access and potential data breaches.

Attack Path Analysis

An attacker exploited the ClawJacked vulnerability in OpenClaw by enticing a user to visit a malicious website, which initiated a brute-force attack on the local OpenClaw instance. Upon successful authentication, the attacker escalated privileges by registering as a trusted device without user confirmation. With administrative access, the attacker moved laterally within the system, accessing connected nodes and sensitive data. They established command and control by interacting directly with the AI platform to execute commands and exfiltrate data. The attacker exfiltrated sensitive information, including credentials and messaging histories, leading to potential data breaches and system compromise.

Kill Chain Progression

Initial Compromise

High

Privilege Escalation

High

Lateral Movement

Mediuminferred

Command & Control

Mediuminferred

Exfiltration

High

Impact

Mediuminferred

Initial Compromise

Description

An attacker exploited the ClawJacked vulnerability by enticing a user to visit a malicious website, which initiated a brute-force attack on the local OpenClaw instance.

Confidence:

High

Related CVEs

Included CVEs with severity scores, affected products, exploit status, and reference links.

CVE-2026-25253
CVSS 8.8
A critical vulnerability in OpenClaw versions before 2026.1.29 allows remote code execution (RCE) when the bot processes attacker-controlled web content, enabling authentication token exfiltration via crafted URLs.
Affected Products:
OpenClaw OpenClaw – < 2026.1.29
Exploit Status:
proof of concept
References:
https://openclaw-ai.net/en/security https://hivepro.com/threat-advisory/one-click-to-compromise-inside-openclaws-critical-rce-flaw/
CVE-2026-27485
CVSS 4.4
An information disclosure vulnerability in OpenClaw versions 2026.2.17 and below allows symlink-based file exposure during skill packaging, potentially leading to unintentional disclosure of local files.
Affected Products:
OpenClaw OpenClaw – <= 2026.2.17
Exploit Status:
no public exploit
References:
https://www.sentinelone.com/vulnerability-database/cve-2026-27485/

MITRE ATT&CK® Techniques

Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.

Credential Access

T1110

Brute Force

Command and Control

T1071.001

Web Protocols

Initial Access

T1190

Exploit Public-Facing Application

Persistence

T1078

Valid Accounts

Defense Evasion

T1550

Use Alternate Authentication Material

Potential Compliance Exposure

Mapping incident impact across multiple compliance frameworks.

PCI DSS 4.0 – Multi-Factor Authentication

Control ID: 8.3.6

The absence of multi-factor authentication allowed attackers to gain unauthorized access through brute-force attacks, violating the requirement to implement multi-factor authentication for all access into the cardholder data environment.

NYDFS 23 NYCRR 500 – Access Privileges

Control ID: 500.07

Inadequate access controls permitted unauthorized access to sensitive systems, contravening the requirement to limit user access privileges to information systems that provide access to nonpublic information.

DORA – ICT Risk Management Framework

Control ID: Article 6

The exploitation of the WebSocket interface indicates deficiencies in the ICT risk management framework, failing to ensure the security and resilience of network and information systems.

CISA ZTMM 2.0 – Identity and Access Management

Control ID: 3.1

The attack exploited weak authentication mechanisms, highlighting a failure to implement robust identity and access management controls as prescribed by the Zero Trust Maturity Model.

NIS2 Directive – Cybersecurity Risk Management Measures

Control ID: Article 21

The incident reveals inadequate cybersecurity risk management measures, violating the directive's requirement for entities to take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems.

Sector Implications

Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.

Computer Software/Engineering

OpenClaw AI platform vulnerability enables localhost WebSocket hijacking, credential theft, and arbitrary command execution, threatening software development environments and autonomous AI systems.

Information Technology/IT

ClawJacked attack exploits self-hosted AI agent platforms through browser-based brute force attacks, compromising IT infrastructure management and zero trust network segmentation controls.

Computer/Network Security

Application vulnerability in popular AI platforms demonstrates need for enhanced egress security, anomaly detection, and inline intrusion prevention to protect against localhost exploitation.

Financial Services

AI agent compromise enables exfiltration of sensitive financial data through messaging histories and connected devices, violating PCI compliance and encrypted traffic protection requirements.

Sources

ClawJacked attack let malicious websites hijack OpenClaw to steal datahttps://www.bleepingcomputer.com/news/security/clawjacked-attack-let-malicious-websites-hijack-openclaw-to-steal-data/
Verified

Oasis Security Research Team Discovers Critical Vulnerability in OpenClawhttps://www.prnewswire.com/news-releases/oasis-security-research-team-discovers-critical-vulnerability-in-openclaw-302698939.html

Verified

OpenClaw - Private Local AI Assistant | Free & Open Sourcehttps://openclaw-ai.net/en/security

Verified

Frequently Asked Questions

ClawJacked is a critical flaw in OpenClaw that allowed malicious websites to exploit its WebSocket interface, enabling unauthorized access and control over AI agents.

Cloud Native Security Fabric Mitigations and ControlsCNSF

Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to exploit vulnerabilities, escalate privileges, and move laterally within the system, thereby reducing the potential blast radius.

Initial Compromise

Control: Cloud Native Security Fabric (CNSF)

Mitigation: The attacker's ability to exploit the ClawJacked vulnerability may have been constrained, reducing the likelihood of successful initial compromise.

Privilege Escalation

Control: Zero Trust Segmentation

Mitigation: The attacker's ability to escalate privileges by registering as a trusted device without user confirmation could have been constrained, reducing unauthorized access.

Lateral Movement

Control: East-West Traffic Security

Mitigation: The attacker's lateral movement within the system could have been constrained, reducing access to connected nodes and sensitive data.

Command & Control

Control: Multicloud Visibility & Control

Mitigation: The attacker's ability to establish command and control by interacting with the AI platform could have been constrained, reducing unauthorized command execution and data exfiltration.

Exfiltration

Control: Egress Security & Policy Enforcement

Mitigation: The attacker's ability to exfiltrate sensitive information could have been constrained, reducing the risk of data breaches.

Impact (Mitigations)

The overall impact of the attack could have been constrained, reducing the extent of system compromise and data breaches.

Impact at a Glance

Affected Business Functions

AI Agent Operations
Data Management
System Administration

Operational Disruption

Estimated downtime: 3 days

Financial Impact

Estimated loss: $50,000

Data Exposure

Potential exposure of authentication tokens, API keys, and sensitive user data managed by OpenClaw agents.

Recommended Actions

• Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement.
• Deploy Inline IPS (Suricata) to detect and block brute-force attacks and known exploit patterns.
• Utilize Threat Detection & Anomaly Response systems to identify and respond to unusual authentication attempts and system behaviors.
• Enforce Multi-Factor Authentication (MFA) for all administrative access to prevent unauthorized privilege escalation.
• Regularly update and patch systems to remediate known vulnerabilities and reduce the attack surface.

Secure the Paths Between Cloud Workloads

A cloud-native security fabric that enforces Zero Trust across workload communication—reducing attack paths, compliance risk, and operational complexity.

Stop Advanced Threats Get a Free Workload Attack Path Assessment Under Active Attack?

ClawJacked: Critical Vulnerability in OpenClaw AI Agent Exposes Systems to Hijacking

Executive Summary

Why This Matters Now

Attack Path Analysis

Kill Chain Progression

Initial Compromise

Description

Related CVEs

CVE-2026-25253

Affected Products:

Exploit Status:

References:

CVE-2026-27485

Affected Products:

Exploit Status:

References:

MITRE ATT&CK® Techniques

Brute Force

Web Protocols

Exploit Public-Facing Application

Valid Accounts

Use Alternate Authentication Material

Potential Compliance Exposure

PCI DSS 4.0 – Multi-Factor Authentication

NYDFS 23 NYCRR 500 – Access Privileges

DORA – ICT Risk Management Framework

CISA ZTMM 2.0 – Identity and Access Management

NIS2 Directive – Cybersecurity Risk Management Measures

Sector Implications

Computer Software/Engineering

Information Technology/IT

Computer/Network Security

Financial Services

Sources

Frequently Asked Questions

Cloud Native Security Fabric Mitigations and ControlsCNSF

Impact at a Glance

Affected Business Functions

Recommended Actions

Key Takeaways & Next Steps

Secure the Paths Between Cloud Workloads