ClawJacked: How a Browser Tab Can Hijack Your OpenClaw Agent

A new vulnerability disclosed this week makes the case for security hardening better than we ever could. Dubbed “ClawJacked” by researchers at Oasis Security, CVE-2026-25253 allows any website to silently take full control of a locally running OpenClaw agent. No malicious skills. No downloads. No user interaction beyond visiting a web page.

What happened

The ClawJacked attack chain exploits three design decisions in the OpenClaw gateway that, individually, make sense for usability. Combined, they create a critical vulnerability.

First, the OpenClaw gateway binds to localhost and exposes a WebSocket interface. This is how local tools like the CLI, the macOS companion app, and the Control UI dashboard communicate with the gateway. The problem is that WebSocket connections to localhost are not blocked by browser cross-origin policies. Any JavaScript running in any browser tab can open a WebSocket connection to your local gateway, and the browser will not warn you or stop it.

Second, the gateway’s rate limiter exempts the loopback address. This is a reasonable decision in isolation — you do not want your local CLI locked out because of failed authentication attempts. But it means that a brute-force attack originating from a browser tab (which connects via localhost) faces no throttling. Oasis researchers demonstrated sustained rates of hundreds of password guesses per second from browser JavaScript alone. A dictionary of common passwords is exhausted in under a second.

Third, the gateway auto-approves device pairings from localhost without requiring user confirmation. Once the attacker guesses the password, their script silently registers as a trusted device. No popup. No notification. No approval prompt.

The result: a developer visits a compromised or malicious website, and within seconds, an attacker has full control of their OpenClaw agent — including every integration, credential, and connected service.

Why this is different from previous OpenClaw threats

The malicious ClawHub packages and the ClawHavoc campaign required the user to install something. ClawJacked requires nothing beyond normal web browsing. That is a fundamentally different threat model.

It also targets the core gateway, not the skill ecosystem. This is not a supply chain attack. It is a flaw in the base software that every OpenClaw installation shares. And unlike a malicious skill that can be identified and removed, a hijacked session leaves the attacker operating as a legitimate trusted device.

The blast radius is especially concerning because OpenClaw agents typically hold API keys, session tokens, email access, calendar integrations, and file system permissions. A compromised agent does not just leak data — it can take actions on behalf of the user, at machine speed, across every connected service.

The fix — and why it is not enough

OpenClaw version 2026.2.25, released February 26, tightens WebSocket security checks and adds protections against localhost brute-force attacks and unauthorized device pairing. Updating is the essential first step:

openclaw update
openclaw --version
# Must show 2026.2.25 or later

But updating only prevents future exploitation of this specific vulnerability. It does not address whether your installation was already compromised while running an older version. Post-compromise remediation requires several additional steps.

1. Audit registered devices

Open the OpenClaw Control UI and review every device that has been paired with your gateway. Remove anything you do not recognize. If you see devices you did not personally pair, assume unauthorized access occurred.

2. Rotate all credentials

Every API key, authentication token, and service credential that your OpenClaw agent had access to should be rotated immediately:

• Cloud provider keys (AWS, GCP, Azure)
• Email OAuth tokens
• Messaging platform tokens (Slack, Discord, Telegram)
• Git/GitHub tokens
• Any secrets stored in ~/.openclaw/ config files

3. Review your logs

Check for unusual activity patterns — commands you did not issue, configuration changes you did not make, file access you did not initiate. Pay particular attention to the period before the patch was available.

# Look for unauthorized access patterns
grep -i "device.*registered" ~/.openclaw/logs/*.log
grep -i "authenticated" ~/.openclaw/logs/*.log
# Flag any entries from times you weren't actively using OpenClaw

4. Check for persistence

The ClawJacked attack itself does not install persistence mechanisms, but an attacker with full agent control could have used that access to deploy additional backdoors:

# Check for unexpected cron jobs
crontab -l | grep -v "^#"

# Check for LaunchAgents (macOS)
ls -la ~/Library/LaunchAgents/ 2>/dev/null

# Check MCP server registrations
cat ~/.openclaw/openclaw.json | grep -A5 "mcpServers"

# Verify identity file integrity
sha256sum ~/.openclaw/agents/*/AGENTS.md

For a complete post-compromise audit, see our hardening checklist.

The bigger pattern

ClawJacked is not an isolated incident. It arrives in the context of a rapidly expanding threat landscape targeting OpenClaw specifically. In the past four weeks:

• Over 800 malicious packages discovered in ClawHub
• The ClawHavoc malware campaign compromising thousands of deployments
• Infostealers specifically targeting OpenClaw configuration files
• A separate log poisoning vulnerability enabling indirect prompt injection (patched in v2026.2.13)
• Now a core gateway vulnerability allowing remote hijacking through a browser

Each of these threats targets a different layer. Supply chain attacks through malicious skills. Malware campaigns delivering payloads through the skill marketplace. Configuration-level vulnerabilities in the gateway itself. The built-in security audit catches some of these, but independent analysis shows it covers approximately 60% of the known threat surface.

The remaining 40% includes exactly the kinds of issues ClawJacked exposes: trust model assumptions that create exploitable gaps, post-compromise artifacts that persist after patching, and cross-layer attack chains that no single tool detects.

What we recommend

The OpenClaw team deserves credit for the 24-hour turnaround on the patch. But patching a single vulnerability does not constitute a security strategy. For any organization or individual running OpenClaw with access to sensitive data or systems, we recommend a layered approach:

Update immediately. Version 2026.2.25 or later is the minimum safe version.

Run a security scan. The built-in audit is a starting point, but it will not catch everything. A comprehensive scan should check for known malicious skills, configuration weaknesses, persistence mechanisms, and post-compromise indicators.

Harden your configuration. Bind the gateway to localhost only (and understand what that does and does not protect). Use strong, unique passwords — not dictionary words. Scope agent permissions to the minimum required for your use case. Baseline your identity files so you can detect unauthorized modifications.

Add runtime protection. Tools like ClawShield provide inline traffic inspection that can catch attack patterns in real time. This layer complements configuration-level hardening.

Establish ongoing monitoring. The threat landscape is evolving weekly. A deployment that was secure last Tuesday may not be secure today. Regular re-assessment is not optional.

Timeline

• February 26, 2026: Oasis Security discloses ClawJacked to OpenClaw
• February 26, 2026: OpenClaw releases patch in version 2026.2.25
• February 27, 2026: Oasis publishes full technical writeup and proof-of-concept details
• February 28–March 1, 2026: Coverage by Bleeping Computer, The Hacker News, CSO Online, Hackread, and others