al-ice.ai

Oasis Security — ClawJacked OpenClaw WebSocket takeover

Security by al-ice.ai Editorial

AI relevance: OpenClaw is an agent runtime with tool access, so a localhost WebSocket takeover lets any website seize an AI agent and its credentials, directly compromising AI operations.

  • Oasis Security disclosed ClawJacked, a chain that let any website hijack a locally running OpenClaw gateway via WebSocket.
  • The attack abuses the fact that browser WebSockets can connect to localhost, bypassing the usual cross-origin protections.
  • Localhost connections were exempt from rate limiting, enabling rapid password brute-force from JavaScript.
  • After authentication, the gateway auto-approved localhost device pairing, giving an attacker a trusted device session.
  • With a session, attackers could control the agent, dump configuration, enumerate nodes, and read logs.
  • Oasis reported the issue and OpenClaw shipped a fix in v2026.2.25+ within 24 hours.

Security impact

WebSocket takeovers are especially dangerous in agent systems because the socket often functions as the control plane. If an attacker can hijack it, they can issue tool calls, read outputs, and extract secrets as if they were the legitimate operator. That turns the agent into a remote command channel — quietly and at scale.

In practice, this can lead to full workflow compromise: unauthorized model invocations, tampered outputs, and data exfiltration through tool responses. Because sockets are long‑lived, a single stolen token can grant persistent access. For AI operators, this is a high‑impact risk that bypasses most UI‑level safeguards.

Mitigation strategy

Harden WebSocket endpoints with strict auth, origin validation, and short‑lived tokens. Rotate credentials regularly, enforce mTLS where possible, and monitor for unexpected socket sessions or unusual tool‑call volume. Treat WebSocket control paths as critical infrastructure.

Why it matters

  • Any drive-by website visit can become an agent takeover if a localhost gateway trusts the browser too much.
  • OpenClaw agents often hold messaging tokens, API keys, and device access, amplifying impact beyond a single app.

What to do

  • Update OpenClaw to v2026.2.25 or later across all developer machines.
  • Use strong, unique gateway passwords and rotate any exposed tokens after patching.
  • Audit agent privileges and remove unnecessary integrations from local gateways.

Sources