Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI toolsNEW
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
  • AI
  • Tech
  • Cybersecurity
  • Finance
  • DeFi & Blockchain
  • Startups
  • Gaming
Dataconomy
  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI toolsNEW
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
Subscribe
No Result
View All Result
Dataconomy
No Result
View All Result

ClawJacked flaw lets malicious sites hijack OpenClaw, steal data

byEmre Çıtak
March 2, 2026
in Research
Home Research
Share on FacebookShare on TwitterShare on LinkedInShare on WhatsAppShare on e-mail
Google Preferred Source

A vulnerability named ClawJacked lets malicious websites hijack the OpenClaw AI platform.

The flaw enables attackers to brute‑force the local gateway password from a browser, gain admin control, and exfiltrate data, raising severe risk for enterprises using OpenClaw.

Oasis Security discovered the issue and reported it to OpenClaw. OpenClaw released a patch in version 2026.2.26 on February 26.

Stay Ahead of the Curve!

Don't miss out on the latest insights, trends, and analysis in the world of data, technology, and startups. Subscribe to our newsletter and get exclusive content delivered straight to your inbox.

The OpenClaw gateway binds to localhost and exposes a WebSocket interface. Browser cross‑origin policies do not block WebSocket connections to localhost, allowing a visited site to open a connection silently.

OpenClaw exempts the loopback address from rate limiting. The gateway accepts unlimited authentication attempts from local JavaScript.

The gateway does not log failed authentication attempts from localhost. This omission prevents operators from detecting brute‑force activity. In our lab testing, we achieved a sustained rate of hundreds of password guesses per second from browser JavaScript alone,” said Oasis.

At that speed, a list of common passwords is exhausted in under a second, and a large dictionary would take only minutes. A human‑chosen password doesn’t stand a chance,” said Oasis.

After a successful login, the attacker can register as a trusted device without user confirmation. The gateway automatically approves device pairings from the loopback address.

An attacker can therefore register a trusted device without prompting the user. The attacker can then dump credentials, list connected nodes, read logs, and execute shell commands on paired devices. Such actions can expose messaging histories, steal files, and compromise workstations from a single browser tab.

Oasis published a proof‑of‑concept video that shows data theft via the OpenClaw vulnerability. The patch tightens WebSocket security checks and re‑enables rate limiting for localhost connections. The fix adds additional protections to prevent attackers from abusing localhost loopback connections to brute‑force logins or hijack sessions.

OpenClaw recommends that users update to version 2026.2.26 or later immediately.

OpenClaw addressed the flaw within 24 hours of disclosure. The rapid response limited exposure for affected installations. Organizations running OpenClaw should apply the update without delay to prevent hijacking. Oasis Security classified the vulnerability as high severity.

The rating reflects the potential for full system compromise. OpenClaw’s popularity stems from its self‑hosted design and support for multi‑platform task automation.

The platform’s flexibility has driven rapid adoption among developers and enterprises. OpenClaw is a self‑hosted AI platform that allows agents to send messages, execute commands, and manage tasks across multiple services.


Featured image credit

Tags: agentic aibig data security

Related Posts

New dark matter theory proposes two particle types

New dark matter theory proposes two particle types

July 14, 2026
Google Dialogflow CX flaw let researchers create rogue agents

Google Dialogflow CX flaw let researchers create rogue agents

July 14, 2026
Penn State researchers build battery-free solar computing chip

Penn State researchers build battery-free solar computing chip

July 14, 2026
Anthropic research introduces GRAM for isolating dangerous AI knowledge

Anthropic research introduces GRAM for isolating dangerous AI knowledge

July 9, 2026
Global PC shipments fall 5% as AI-driven memory crisis hits supply chains

Global PC shipments fall 5% as AI-driven memory crisis hits supply chains

July 9, 2026
Only 6% of Singapore desk workers use AI daily, says Salesforce

Only 6% of Singapore desk workers use AI daily, says Salesforce

July 8, 2026

LATEST NEWS

OpenAI retires Atlas browser to focus on new ChatGPT superapp

Microsoft tests Copilot’s new PC insights feature in Windows 11

Xiaomi unveils SkyNomad N90 range-extender SUV

X algorithm update aims to make replies feel friendlier

Windows 11 Search Box gets less clutter and more control

Pixel 11 leak shows bold magenta and peach colors

BEST AI MODELS LEADERBOARD

See the best AI models, ranked by intelligence, benchmark results, speed and token price. Find the most suitable LLMs, Text-to-Image, Image Editing, Text-to-Speech, Text-to-Video and Image-to-Video  artificial intelligence model for your tasks and business.

LATEST TOOLS

Mootion

Legacy AI

Copyseeker

ProPhotos

Kuki AI

Create

RemodelAI

AItwitch

Vadoo AI

Greptile AI

Dataconomy

COPYRIGHT © DATACONOMY MEDIA GMBH, ALL RIGHTS RESERVED.

  • About
  • Imprint
  • Contact
  • Legal & Privacy

Follow Us

  • News
    • Artificial Intelligence
    • Cybersecurity
    • DeFi & Blockchain
    • Finance
    • Gaming
    • Startups
    • Tech
  • Industry
  • Research
  • Resources
    • Articles
    • Guides
    • Case Studies
    • Whitepapers
    • AI Models Leaderboard
  • AI tools
  • Newsletter
  • + More
    • Glossary
    • Conversations
    • Events
    • About
      • Who we are
      • Contact
      • Imprint
      • Legal & Privacy
      • Partner With Us
No Result
View All Result
Subscribe

This website uses cookies to improve your experience. You can choose to accept or reject them. Visit our Privacy Policy.