Patch Released for "ClawJacked" WebSocket Hijacking Flaw in OpenClaw AI Agent

Patch Shipped for "ClawJacked" WebSocket Hijacking Vulnerability in OpenClaw AI Agent

HIGH
February 15, 2026
March 1, 2026
5m read
VulnerabilityPatch ManagementCyberattack

Related Entities(initial)

Products & Tech

OpenClaw

MITRE ATT&CK Techniques

T1190Initial Access

Exploit Public-Facing Application

T1564.004Defense Evasion

NTFS File Attributes

T1059Execution

Command and Scripting Interpreter

Full Report(when first published)

Executive Summary

On February 14, 2026, a patch was released for a high-severity vulnerability, codenamed ClawJacked, in the popular OpenClaw AI agent. The flaw allowed a malicious website to hijack a developer's local OpenClaw agent instance via its WebSocket connection. By tricking a user into visiting a specially crafted webpage, an attacker could silently register a new device and gain control of the agent, enabling them to execute commands, manipulate its reasoning through prompt injection, and potentially exfiltrate data. The vulnerability was responsibly disclosed, and a fix was promptly made available in version 2026.2.13.

Vulnerability Details

ClawJacked is a WebSocket hijacking vulnerability that exploits the trust relationship between the OpenClaw agent and local connections. The attack scenario is as follows:

  1. Prerequisite: A developer is running a local instance of the OpenClaw AI agent on their machine. The agent opens a WebSocket server on a local port to listen for connections from clients (like a web UI).
  2. Initial Access: The developer is lured to a malicious website controlled by the attacker. This could be through a phishing link or a compromised ad.
  3. Cross-Origin Connection: Malicious JavaScript on the attacker's website initiates a WebSocket connection to the known local port of the OpenClaw agent (e.g., ws://localhost:1337). This is a form of Cross-Site WebSocket Hijacking (CSWH).
  4. Exploitation: The OpenClaw gateway was designed to relax certain security checks for connections originating from localhost. It would silently approve the new device registration from the malicious website's script without requiring user confirmation. This effectively gave the attacker's script control over the agent.

An additional vector of abuse involved the agent's ability to read its own logs for troubleshooting. An attacker could potentially inject malicious content into the logs, which the agent would then process. This could be used for indirect prompt injection, manipulating the agent's behavior or tricking it into revealing sensitive information.

Affected Systems

  • Product: OpenClaw AI Agent
  • Vulnerable Versions: Versions prior to 2026.2.13.
  • Patched Version: 2026.2.13.

Impact Assessment

The impact of the ClawJacked vulnerability is severe for an affected developer:

  • Agent Hijacking: The attacker gains full control over the AI agent's functions. They can issue commands, run 'skills', and interact with any integrations the agent has.
  • Data Exfiltration: If the agent has access to local files, API keys, or other sensitive data, the attacker could command it to exfiltrate this information to an external server.
  • Prompt Injection: The attacker could use their control to issue malicious prompts, potentially manipulating the agent's behavior, corrupting its knowledge base, or tricking it into performing unintended actions.
  • Local System Access: Depending on the agent's permissions, an attacker might be able to leverage it to execute commands on the local operating system, escalating the attack from agent hijacking to a full machine compromise.

Cyber Observables for Detection

Type Value Description
network_traffic_pattern WebSocket connections to localhost Monitor for unexpected WebSocket connections to local ports from browser processes, especially if the origin of the web page is an external domain.
process_name openclaw-agent Monitor the agent process for unusual activity, such as accessing sensitive files or making outbound connections that are not part of its normal operation.
log_source OpenClaw agent logs Review agent logs for unexpected device registrations or commands being executed that were not initiated by the legitimate user.

Detection & Response

Detection:

  • Browser Security Tools: Browser developer tools can be used to inspect active WebSocket connections. Security extensions may also be able to monitor for and alert on cross-origin WebSocket activity.
  • Endpoint Monitoring: An EDR solution can monitor the openclaw-agent process for suspicious file access or network connections that result from malicious commands sent via the hijacked WebSocket.

Response:

  • If a hijack is suspected, immediately terminate the openclaw-agent process and the browser session.
  • Update the OpenClaw agent to the patched version before restarting it.
  • Review agent logs and local files for any signs of unauthorized access or data modification.

Remediation Steps

Immediate Action:

  • Update Immediately: The primary and most effective remediation is to update the OpenClaw AI agent to version 2026.2.13 or newer. This is a critical application of Software Update (D3-SU).

Strategic Improvements:

  • Principle of Least Privilege: When developing applications that use local servers, ensure they run with the minimum necessary privileges. They should not have broad access to the file system.
  • Secure by Default: Local servers should enforce strict origin checks for all incoming connections, even those from localhost. The fix for ClawJacked likely involved implementing a proper Origin header check to ensure that WebSocket connections can only be initiated from trusted, whitelisted web pages, not arbitrary ones. This is a form of Application Configuration Hardening (D3-ACH).
  • User Confirmation: For sensitive actions like registering a new device or client, the application should always require explicit user confirmation through a UI prompt, regardless of where the request originates.

Timeline of Events

1
February 14, 2026
A patch for the 'ClawJacked' vulnerability was released in OpenClaw version 2026.2.13.
2
February 15, 2026
This article was published

Article Updates

March 1, 2026

New patch version 2026.2.25 released for 'ClawJacked' vulnerability in OpenClaw AI agent, explicitly addressing password bypass via WebSocket hijacking.

Update Sources:
thehackernews.comClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket
ibv.co.ukClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket
federicosella.comTech News | Federico Sella

MITRE ATT&CK Mitigations

Update Software

M1051enterprise

The primary mitigation is to update the OpenClaw agent to the patched version 2026.2.13 or newer.

Software Configuration

M1054enterprise

Developers of local applications should implement strict origin checks for all network requests, including WebSockets.

D3FEND Defensive Countermeasures

Software Update

D3-SUMaps to MITREM1051
D3FEND

The immediate and most effective defense against the 'ClawJacked' vulnerability is to update the OpenClaw AI agent to the patched version, 2026.2.13. This version contains the fix that prevents the WebSocket hijacking. All developers and users of OpenClaw must prioritize this update. This action directly closes the security hole that allows malicious websites to connect to and control the local agent. Maintaining an up-to-date inventory of software and enabling automatic updates where appropriate are crucial security hygiene practices that this incident underscores.

Application Configuration Hardening

D3-ACHMaps to MITREM1054
D3FEND

The root cause of 'ClawJacked' was a failure in configuration—specifically, relaxing security checks for connections from localhost. The long-term fix, which was likely implemented in the patch, is to harden the application's configuration. Any server application, even one running locally, must validate the 'Origin' header of incoming WebSocket requests. This ensures that only scripts from an allowed list of web pages (e.g., the legitimate OpenClaw web UI) can connect. By default, connections from all other origins should be rejected. This prevents the cross-site attack vector and is a fundamental principle for securing web-connected applications.

Sources & References(when first published)

ClawJacked Flaw Lets Malicious Sites Hijack Local OpenClaw AI Agents via WebSocket
The Hacker News (thehackernews.com) February 14, 2026
Cybersecurity News Review — Week 9 (2026)
Medium (medium.com) February 15, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

OpenClawClawJackedWebSocketVulnerabilityHijackingPrompt Injection

📢 Share This Article

Help others stay informed about cybersecurity threats