# OpenClaw AI Framework Exposed to Data Theft Through "ClawJacked" Flaw
In a recent discovery, researchers at Oasis Security have exposed a critical vulnerability in the open-source AI framework OpenClaw, allowing malicious websites to hijack local AI agent instances and steal sensitive data. The flaw, dubbed "ClawJacked," enabled attackers to brute-force and take control of local AI agent instances, rendering them vulnerable to silent data theft.
The OpenClaw AI agent framework is designed to connect large language models to tools, browsers, and system resources, enabling task automation such as web interaction, data processing, and workflow execution on a user's machine. The framework uses a local WebSocket gateway that acts as the system's brain, handling authentication, chat sessions, configuration, and coordination of the AI agent. Connected "nodes" (such as a macOS app, iOS device, or other machines) register with the gateway and can execute system commands or access device features.
However, this design creates a critical security weakness due to the gateway binding to localhost and assuming local traffic is trusted. Researchers uncovered an attack chain showing that a malicious website could fully hijack a locally running OpenClaw instance by visiting an attacker-controlled site and embedding JavaScript code in the user's browser. The JavaScript code would silently open a WebSocket connection to the local gateway, which was not blocked due to browsers allowing WebSocket connections to localhost.
The gateway also exempted localhost from rate limiting, allowing attackers to brute-force the password at hundreds of guesses per second without triggering alerts. Once the password was guessed, the malicious script could automatically register as a trusted device, gaining admin-level control and access to sensitive data. This meant that full workstation compromise could be initiated from a simple browser visit, without any visible warning to the user.
The vulnerability was rated high severity by Oasis Security, and an emergency patch was released in version 2026.2.26 just 24 hours after disclosure. The incident highlights the need for organizations to identify AI tools running on developer machines, as many may be deployed without IT oversight. Users are urged to update any OpenClaw instances immediately to version 2026.2.25 or later.
Experts stress that companies should also audit what permissions and credentials their AI agents hold, limiting access to only what is necessary. Furthermore, governance around AI agents is crucial, as they can authenticate, store credentials, and act autonomously. This requires strict policy controls, monitored access, and full audit trails – just like human users or service accounts.
In conclusion, the "ClawJacked" flaw in OpenClaw highlights the importance of cybersecurity awareness and regular vulnerability testing for AI frameworks. Developers must prioritize secure coding practices, and organizations should establish robust governance around their AI assets to prevent similar incidents from occurring.
# openclaw #aiframework #cybersecurity #vulnerability #data breach #malware