Executive Summary
In February 2026, a critical security vulnerability, dubbed 'ClawJacked,' was discovered in OpenClaw, an open-source AI agent platform. This flaw allowed malicious websites to exploit the WebSocket protocol to hijack locally running OpenClaw agents by brute-forcing the gateway password, leading to unauthorized control over the AI agent. The attack sequence involved a malicious site initiating a WebSocket connection to the local OpenClaw gateway, bypassing security mechanisms due to the gateway's trust in local connections. This vulnerability was promptly addressed in version 2026.2.25, released on February 26, 2026. (thehackernews.com)
The ClawJacked incident underscores the escalating security challenges associated with AI agent platforms. As these agents gain deeper integration into enterprise environments, they become attractive targets for cyber threats. This event highlights the necessity for robust security measures, including stringent authentication protocols and vigilant monitoring, to safeguard against emerging vulnerabilities in AI systems.
Why This Matters Now
The ClawJacked vulnerability highlights the urgent need for enhanced security protocols in AI agent platforms. As these systems become integral to enterprise operations, they present new attack vectors for cybercriminals. Organizations must prioritize the implementation of robust authentication mechanisms and continuous monitoring to mitigate such risks.
Attack Path Analysis
An attacker exploited a vulnerability in OpenClaw's WebSocket implementation by tricking a user into clicking a malicious link, leading to unauthorized access and control over the AI agent. The attacker then escalated privileges by brute-forcing the gateway password, registered as a trusted device without user approval, and gained complete control over the AI agent. Utilizing this control, the attacker moved laterally within the system, accessing connected nodes and reading application logs. The compromised AI agent established a command and control channel, allowing the attacker to issue commands remotely. Sensitive data was exfiltrated through this channel, leading to potential data breaches. The attack resulted in significant impact, including unauthorized access to enterprise tools and potential manipulation of AI agent operations.
Kill Chain Progression
Initial Compromise
Description
The attacker exploited a vulnerability in OpenClaw's WebSocket implementation by tricking a user into clicking a malicious link, leading to unauthorized access and control over the AI agent.
Related CVEs
CVE-2026-XXXXX
CVSS 8.8A vulnerability in OpenClaw versions prior to 2026.2.25 allows a malicious website to connect to a locally running OpenClaw AI agent via WebSocket, potentially leading to full control over the agent.
Affected Products:
OpenClaw OpenClaw – < 2026.2.25
Exploit Status:
proof of concept
MITRE ATT&CK® Techniques
Techniques identified for SEO/filtering; may be expanded with full STIX/TAXII enrichment later.
Brute Force
Web Protocols
Exploit Public-Facing Application
Valid Accounts
Drive-by Compromise
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Multi-Factor Authentication
Control ID: 8.3.6
NYDFS 23 NYCRR 500 – Multi-Factor Authentication
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 6
CISA ZTMM 2.0 – Multi-Factor Authentication
Control ID: Identity Pillar
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Computer Software/Engineering
OpenClaw AI agent vulnerabilities enable supply chain attacks through malicious skills, WebSocket hijacking, and prompt injections targeting software development environments.
Information Technology/IT
ClawJacked flaw allows remote takeover of AI agents via unencrypted WebSocket connections, creating lateral movement risks in enterprise IT infrastructure.
Financial Services
Malicious ClawHub skills facilitate cryptocurrency theft through agent-to-agent attacks, wallet key exposure, and automated fund redirection to attacker wallets.
Computer/Network Security
Multiple CVEs in OpenClaw framework expose security teams to command injection, authentication bypass, and credential exfiltration through compromised AI agents.
Sources
- ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSockethttps://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.htmlVerified
- ClawJacked: OpenClaw Vulnerability Enables Full Agent Takeoverhttps://www.oasis.security/blog/openclaw-vulnerabilityVerified
- Release openclaw 2026.2.25 · openclaw/openclaw · GitHubhttps://github.com/openclaw/openclaw/releases/tag/v2026.2.25Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have constrained the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been limited by enforcing strict identity-based access controls, reducing the likelihood of unauthorized entry.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been constrained by enforcing strict segmentation policies, reducing unauthorized access to critical systems.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may have been limited by enforcing east-west traffic security, reducing unauthorized access to connected nodes.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to establish command and control channels could have been constrained by enhanced visibility and control, reducing unauthorized remote commands.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been limited by enforcing strict egress policies, reducing unauthorized data transfers.
The overall impact of the attack could have been constrained by limiting unauthorized access and manipulation, reducing potential damage to enterprise tools and operations.
Impact at a Glance
Affected Business Functions
- AI Agent Operations
- System Automation
- Data Processing
Estimated downtime: 3 days
Estimated loss: $50,000
Potential exposure of sensitive configuration data and access credentials.
Recommended Actions
Key Takeaways & Next Steps
- • Implement Zero Trust Segmentation to enforce least privilege access and prevent unauthorized lateral movement within the network.
- • Deploy East-West Traffic Security controls to monitor and restrict internal traffic, mitigating the risk of lateral movement by attackers.
- • Utilize Egress Security & Policy Enforcement to control outbound traffic, preventing unauthorized data exfiltration and command and control communications.
- • Enhance Threat Detection & Anomaly Response capabilities to identify and respond to suspicious activities promptly.
- • Regularly update and patch systems to address known vulnerabilities, reducing the risk of exploitation by attackers.
