OPENCLAW users have been urged to upgrade to the latest version after researchers revealed that an indirect prompt injection attack could give adversaries full remote control. The ClawJacked bug is a high-severity issue in the popular AI assistant platform, and, according to Oasis Security, its gateway runs a local WebSocket server that authenticates, manages sessions and orchestrates the AI agent, with nodes registering and exposing capabilities across devices.
The flaw stems from the gateway binding to localhost by default, which assumes local access is trusted; if a user visits a malicious site, an attacker can exploit this through a WebSocket connection to localhost, brute-force the gateway password at hundreds of attempts per second, and have the gateway auto-approve the attacker's device without a user prompt.
Once authenticated, the attacker can gain full control of the OpenClaw instance, interact with the agent, dump configuration data, enumerate devices and read logs. The advisory urges upgrades to version 2026.2.25 or later and recommends governance measures for non-human identities.