OpenClaw has fastened a high-severity safety concern that, if efficiently exploited, may have allowed a malicious web site to connect with a regionally operating synthetic intelligence (AI) agent and take over management.
“Our vulnerability lives in the core system itself – no plugins, no marketplace, no user-installed extensions – just the bare OpenClaw gateway, running exactly as documented,” Oasis Safety stated in a report printed this week.
The flaw has been codenamed ClawJacked by the cybersecurity firm.
The assault assumes the next menace mannequin: A developer has OpenClaw arrange and operating on their laptop computer, with its gateway, an area WebSocket server, certain to localhost and guarded by a password. The assault kicks in when the developer lands on an attacker-controlled web site by means of social engineering or another means.
The an infection sequence then follows the steps beneath –
- Malicious JavaScript on the net web page opens a WebSocket connection to localhost on the OpenClaw gateway port.
- The script brute-forces the gateway password by profiting from a lacking rate-limiting mechanism.
- Put up profitable authentication with admin-level permissions, the script stealthily registers as a trusted system, which is auto-approved by the gateway with none person immediate.
- The attacker beneficial properties full management over the AI agent, permitting them to work together with it, dump configuration knowledge, enumerate linked nodes, and browse utility logs.
“Any website you visit can open one to your localhost. Unlike regular HTTP requests, the browser doesn’t block these cross-origin connections,” Oasis Safety stated. “So while you’re browsing any website, JavaScript running on that page can silently open a connection to your local OpenClaw gateway. The user sees nothing.”
“That misplaced trust has real consequences. The gateway relaxes several security mechanisms for local connections – including silently approving new device registrations without prompting the user. Normally, when a new device connects, the user must confirm the pairing. From localhost, it’s automatic.”
Following accountable disclosure, OpenClaw pushed a repair in lower than 24 hours with model 2026.2.25 launched on February 26, 2026. Customers are suggested to use the newest updates as quickly as doable, periodically audit entry granted to AI brokers, and implement acceptable governance controls for non-human (aka agentic) identities.
The event comes amid a broader safety scrutiny of the OpenClaw ecosystem, primarily stemming from the truth that AI brokers maintain entrenched entry to disparate techniques and the authority to execute duties throughout enterprise instruments, resulting in a considerably bigger blast radius ought to they be compromised.
Reviews from Bitsight and NeuralTrust have detailed how OpenClaw situations left linked to the web pose an expanded assault floor, with every built-in service additional broadening the blast radius and will be remodeled into an assault weapon by embedding immediate injections in content material (e.g., an e-mail or a Slack message) processed by the agent to execute malicious actions.
The disclosure comes as OpenClaw additionally patched a log poisoning vulnerability that allowed attackers to write down malicious content material to log information by way of WebSocket requests to a publicly accessible occasion on TCP port 18789.
For the reason that agent reads its personal logs to troubleshoot sure duties, the safety loophole might be abused by a menace actor to embed oblique immediate injections, resulting in unintended penalties. The problem was addressed in model 2026.2.13, which was shipped on February 14, 2026.
“If the injected text is interpreted as meaningful operational information rather than untrusted input, it could influence decisions, suggestions, or automated actions,” Eye Safety stated. “The impact would therefore not be ‘instant takeover,’ but rather: manipulation of agent reasoning, influencing troubleshooting steps, potential data disclosure if the agent is guided to reveal context, and indirect misuse of connected integrations.”
In latest weeks, OpenClaw has additionally been discovered vulnerable to a number of vulnerabilities (CVE-2026-25593, CVE-2026-24763, CVE-2026-25157, CVE-2026-25475, CVE-2026-26319, CVE-2026-26322, CVE-2026-26329), starting from reasonable to excessive severity, that would lead to distant code execution, command injection, server-side request forgery (SSRF), authentication bypass, and path traversal. The vulnerabilities have been addressed in OpenClaw variations 2026.1.20, 2026.1.29, 2026.2.1, 2026.2.2, and 2026.2.14.
“As AI agent frameworks become more prevalent in enterprise environments, security analysis must evolve to address both traditional vulnerabilities and AI-specific attack surfaces,” Endor Labs stated.
Elsewhere, new analysis has demonstrated that malicious expertise uploaded to ClawHub, an open market for downloading OpenClaw expertise, are getting used as conduits to ship a brand new variant of Atomic Stealer, a macOS data stealer developed and rented by a cybercrime actor often called Cookie Spider.
“The infection chain begins with a normal SKILL.md that installs a prerequisite,” Pattern Micro stated. “The skill appears harmless on the surface and was even labeled as benign on VirusTotal. OpenClaw then goes to the website, fetches the installation instructions, and proceeds with the installation if the LLM decides to follow the instructions.”
The directions hosted on the web site “openclawcli.vercel[.]app” embody a malicious command to obtain a stealer payload from an exterior server (“91.92.242[.]30”) and run it.
Menace hunters have additionally flagged a brand new malware supply marketing campaign during which a menace actor by the title @liuhui1010 has been recognized, leaving feedback on reliable talent itemizing pages, urging customers to explicitly run a command they supplied on the Terminal app if the talent “doesn’t work on macOS.”
The command is designed to retrieve Atomic Stealer from “91.92.242[.]30,” an IP tackle beforehand documented by Koi Safety and OpenSourceMalware for distributing the identical malware by way of malicious expertise uploaded to ClawHub.
What’s extra, a latest evaluation of three,505 ClawHub expertise by AI safety firm Straiker has uncovered a minimum of 71 malicious ones, a few of which posed as reliable cryptocurrency instruments however contained hidden performance to redirect funds to menace actor-controlled wallets.
Two different expertise, bob-p2p-beta and runware, have been attributed to a multi-layered cryptocurrency rip-off that employs an agent-to-agent assault chain focusing on the AI agent ecosystem. The talents have been attributed to a menace actor who operates beneath the aliases “26medias” on ClawHub and “BobVonNeumann” on Moltbook and X.
“BobVonNeumann presents itself as an AI agent on Moltbook, a social network designed for agents to interact with each other,” researchers Yash Somalkar and Dan Regalado stated. “From that position, it promotes its own malicious skills directly to other agents, exploiting the trust that agents are designed to extend to each other by default. It’s a supply chain attack with a social engineering layer built on top.”
What bob-p2p-beta does, nevertheless, is instruct different AI brokers to retailer Solana pockets personal keys in plaintext, buy nugatory $BOB tokens on pump.enjoyable, and route all funds by means of an attacker-controlled infrastructure. The second talent claims to supply a benign picture era instrument to construct the developer’s credibility.
On condition that ClawHub is changing into a brand new fertile floor for attackers, customers are suggested to audit expertise earlier than putting in them, keep away from offering credentials and keys except it is important, and monitor talent habits.
The safety dangers related to self-hosted agent runtimes like OpenClaw have additionally prompted Microsoft to concern an advisory, warning that unguarded deployment may pave the best way for credential publicity/exfiltration, reminiscence modification, and host compromise if the agent will be tricked into retrieving and operating malicious code both by means of poisoned expertise or immediate injections.
“Because of these characteristics, OpenClaw should be treated as untrusted code execution with persistent credentials,” the Microsoft Defender Safety Analysis Workforce stated. “It is not appropriate to run on a standard personal or enterprise workstation.”
“If an organization determines that OpenClaw must be evaluated, it should be deployed only in a fully isolated environment such as a dedicated virtual machine or separate physical system. The runtime should use dedicated, non-privileged credentials and access only non-sensitive data. Continuous monitoring and a rebuild plan should be part of the operating model.”
