Skip to main content
CybersecurityAI & Machine Learning

ClawJacked Flaw: Exclusive Critical OpenClaw Hijack Alert

ClawJacked Flaw: Exclusive Critical OpenClaw Hijack Alert

What do you do when the gatekeeper itself can be turned into the key? “Our vulnerability lives in the core system itself – no plugins, no marketplace, no user‑installed extensions – just the bare OpenClaw gateway, running exactly as documented,” said researchers at Oasis, who discovered a high‑severity flaw that could let a malicious website reach across the browser and seize a locally running AI agent. The discovery, disclosed and fixed by OpenClaw, raises a stark dilemma: how do we trust connected AI services when the gateway meant to protect them can be the attack path?

OpenClaw, an increasingly common gateway used to route requests between web pages and locally hosted AI agents, patched a critical vulnerability that—if exploited—would have allowed a remote website to connect to and effectively take control of a local AI process. According to the public disclosure, the flaw resided in OpenClaw’s core handling of incoming connections and authentication logic, meaning an attacker need not rely on third‑party extensions or misconfigured plugins to abuse it. Oasis’s characterization that the bug sits in the “bare” gateway underscores the breadth of the exposure.

Technically, the risk stems from the trust boundary between untrusted web content and trusted local services. Browsers and local agents commonly rely on gateway software to mediate requests, enforce origin checks, and prevent cross‑origin abuse. When that mediator is flawed, a malicious site opened in a user’s tab can escalate from benign script to active controller of a local AI—issuing commands, retrieving state, or modifying configuration—without the user’s explicit intent. The result is not just data exfiltration but functional takeover of an agent that may have access to files, credentials, or other services on the host.

  • Scope and exploitability: The vulnerability reported affects the core OpenClaw gateway as shipped; no additional components or user actions were required beyond visiting a crafted webpage that triggers the flaw.
  • Potential impact: A successful exploit could let attackers issue commands to a local AI agent, manipulate its outputs, or use the agent as a pivot to other local resources.
  • Response: OpenClaw released a patch addressing the gateway’s authentication and connection handling; maintainers and downstream integrators have been urged to apply updates immediately.

Why this matters beyond a single product: modern software architectures increasingly place small, local agents at the center of user workflows—think personal assistants, code helpers, and automation tools that listen on localhost. Those agents are powerful precisely because they bridge sensitive local data and remote interfaces. When an internet‑facing webpage can reach through a buggy gateway into that zone, the security model breaks down. The incident echoes broader patterns observed in high‑impact disclosures: attackers prize vulnerabilities that require little privilege or exotic access, and defenders must race to patch widely deployed components before exploitation scales.

Security practitioners who study exploitation trends note the predictable arc: discovery, responsible disclosure and patch, then a window of risk as unpatched instances remain exposed. Huntress’s analysis of prior vulnerabilities highlights how adversaries swiftly weaponize such flaws once details are public, making timely remediation essential to avoid active exploitation and lateral movement in enterprise networks .

From the technologist’s viewpoint, the OpenClaw incident is a call to harden trust boundaries and embrace defense‑in‑depth. Gateways should implement strict origin validation, ephemeral credentials, and explicit user consent flows when elevating web interactions to local command capabilities. Developers of AI agents must design with the assumption that anything exposed to the browser is potentially hostile and minimize the surface area of local APIs.

For policymakers and regulators, the episode adds urgency to conversations about secure defaults and supply‑chain hygiene. Core infrastructure components—even those distributed as small packages or developer tools—can present systemic risk if shipped with unsafe defaults. Regulators setting standards for critical‑software lifecycle practices may point to this kind of flaw as justification for minimum security baselines, mandatory vulnerability disclosure timelines, and certification of widely used middleware.

Users and administrators face practical steps now: update OpenClaw to the patched release, audit systems that host local AI agents for unexpected network listeners, and treat localhost endpoints as high‑risk interfaces. Where possible, restrict browser access to local APIs via fine‑grained allowlists, network policy, or by using sandboxing that prevents untrusted pages from issuing cross‑origin requests to local services.

Adversaries, unsurprisingly, view such vulnerabilities opportunistically. A reliable, low‑complexity exploit that converts a webpage visit into local agent control is attractive to cybercriminal groups and espionage actors alike, because it provides an initial foothold that can be used to harvest data, spread laterally, or deploy additional malware. The community’s prior experience with rapid exploitation after public disclosure underscores the need to close the window between fix and deployment as quickly as possible .

OpenClaw’s fix reduces immediate risk, but the incident points to a recurring lesson: security failures in middleware are particularly pernicious because they violate assumptions higher‑level software makes about the environment. Even well‑documented, default deployments can be dangerous when the default is wrong.

As the ecosystem matures—bringing more powerful local AI agents into daily workflows—this episode should prompt reflection as much as remediation. Are we prepared to treat local AI endpoints with the same rigor we reserve for remote servers? Can vendors build gateways with provable guarantees that a webpage cannot subvert a user’s machine? The answers will determine whether future discoveries become contained patches or templates for widespread abuse.

For additional details and the original reporting, see the full disclosure at The Hacker News: https://thehackernews.com/2026/02/clawjacked-flaw-lets-malicious-sites.html