OPENCLAW has fixed a high-severity flaw, dubbed ClawJacked, which could let a malicious website connect to a locally running OpenClaw AI agent and take control, according to Oasis Security. The attack model requires a developer’s OpenClaw gateway and a local WebSocket server bound to localhost, protected by a password, with malicious JavaScript on a page opening a WebSocket to that localhost and brute-forcing the gateway password due to a missing rate limit.
Once authenticated with admin permissions, the script can register as a trusted device and gain full control over the AI agent, enabling interaction, configuration dumps, node enumeration and log access, with the gateway reportedly auto-approving such devices.
Following disclosure, OpenClaw released version 2026.2.25 on 26 February 2026 and users are advised to apply updates, audit non-human identities and enforce governance controls for agent runtimes; Microsoft likewise warned that OpenClaw should run only in isolated environments.
The broader context includes multiple CVEs (for example CVE-2026-25593, CVE-2026-24763, CVE-2026-25157, CVE-2026-25475, CVE-2026-26319, CVE-2026-26322 and CVE-2026-26329) addressed in later OpenClaw releases, along with reports of malcode delivered via ClawHub and a threat actor known as Cookie Spider, among other findings.