OpenClaw users are being urged to upgrade to the latest version of the tool following a discovery by researchers regarding a serious vulnerability. This flaw allows adversaries to execute an indirect prompt injection attack, potentially granting them full remote control over the platform.
The vulnerability, dubbed the “ClawJacked” bug, is classified as high-severity within the widely used AI assistant platform. Oasis Security explained that OpenClaw operates via a local WebSocket server, which acts as its central gateway. This gateway is responsible for managing authentication, chat sessions, configuration storage, and orchestrating the AI agent.
Connected to the gateway are various nodes, which can include a macOS companion app, an iOS device, or other machines. These nodes register with the gateway and present their capabilities, which include running system commands, accessing the camera, and reading contacts. The gateway has the ability to send commands to any connected node.
The issue arises because the gateway is set to bind to localhost by default, operating under the assumption that local access is inherently trusted. However, this trust can be compromised if a user visits a malicious website.
The report outlined how an attack could unfold:
- JavaScript on the malicious page establishes a WebSocket connection to localhost on the OpenClaw gateway's designated port. This is allowed since WebSocket connections to localhost are not restricted by cross-origin policies.
- The script attempts to brute-force the gateway password at an alarming rate, as the rate limiter does not apply to localhost connections.
- Once authenticated, the script silently registers itself as a trusted device. The gateway automatically approves device pairings from localhost without requiring user confirmation.
If these steps are successfully executed, the attacker gains complete control over the OpenClaw instance. This allows them to interact with the AI agent, access configuration data, enumerate connected devices, and read logs, as warned by Oasis Security.
Users Urged to Update OpenClaw
The research team strongly recommends that OpenClaw users upgrade to version 2026.2.25 or later without delay, commending the volunteers who manage the open-source project for their prompt response to the issue.
This is not the first security concern surrounding OpenClaw, as several vulnerabilities and malicious add-ons, referred to as "skills," have been reported in recent weeks. Infostealers have also been identified as targeting this popular AI tool.
Oasis Security has made several recommendations for organizations:
- Enhance visibility into AI usage by inventorying which agents and assistants are operational across developer environments.
- Update all OpenClaw instances to the latest version immediately.
- Review and adjust access rights granted to AI agents, revoking any unnecessary permissions.
- Establish a governance strategy for non-human identities that includes intent analysis, policy enforcement, just-in-time access, and a comprehensive audit trail “from human to agent to action.”
