{"id":4689,"date":"2026-03-03T06:44:36","date_gmt":"2026-03-03T06:44:36","guid":{"rendered":"http:\/\/ft365.org\/index.php\/2026\/03\/03\/clawjacked-bug-enables-covert-ai-agent-hijacking\/"},"modified":"2026-03-03T06:44:36","modified_gmt":"2026-03-03T06:44:36","slug":"clawjacked-bug-enables-covert-ai-agent-hijacking","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/03\/03\/clawjacked-bug-enables-covert-ai-agent-hijacking\/","title":{"rendered":"ClawJacked Bug Enables Covert AI Agent Hijacking"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

OpenClaw users have been urged to upgrade to the latest version of the tool after researchers revealed how an indirect prompt injection attack could give adversaries full remote control.<\/p>\n

The \u201cClawJacked\u201d bug is a high-severity issue in the popular AI assistant platform.<\/p>\n

\u201cAt its core, OpenClaw runs a gateway, a local WebSocket server that acts as the brain of the operation. The gateway handles authentication, manages chat sessions, stores configuration\u00a0and orchestrates the AI agent,\u201d Oasis Security explained.<\/p>\n

\u201cConnected to the gateway are nodes \u2013 these can be the macOS companion app, an iOS device, or other machines. Nodes register with the gateway and expose capabilities, running system commands, accessing the camera, reading contacts and more. The gateway can dispatch commands to any connected node.\u201d<\/p>\n

The problem is that the gateway binds to localhost by default, because it assumes that local access is inherently trusted. However, if a user visits a malicious site, this assumption breaks down.<\/p>\n

The report explained that an attack could look like this:<\/p>\n

    \n
  1. JavaScript on the page opens a WebSocket connection to localhost<\/strong>\u00a0on the OpenClaw gateway port. This is permitted because WebSocket connections to localhost are not blocked by cross-origin policies<\/li>\n
  2. The script brute-forces the gateway password<\/strong>\u00a0at hundreds of attempts per second. The gateway’s rate limiter exempts localhost connections entirely<\/li>\n
  3. Once authenticated, the script silently registers as a trusted device.<\/strong>\u00a0The gateway auto-approves device pairings from localhost with no user prompt<\/li>\n<\/ol>\n

    One these steps have been achieved, the attacker has full control over the OpenClaw instance \u2013 enabling them to interact with the agent, dump configuration data, enumerate connected devices\u00a0and read logs, Oasis Security warned.<\/p>\n

    Read more on OpenClaw: Researchers Find 40,000+ Exposed OpenClaw Instances.<\/em><\/p>\n

    Users Urged to Update OpenClaw<\/strong><\/h2>\n

    The research team urged OpenClaw users to upgrade to version 2026.2.25 or later immediately, praising the volunteers that manage the open source project for their swift fix.<\/p>\n

    However, this is just one of many OpenClaw security scares to surface over recent weeks. Numerous vulnerabilities and hundreds of malicious add-ons (\u201cskills\u201d) have been discovered in the platform ecosystem, and infostealers are known to be targeting the popular AI tool.<\/p>\n

    Oasis Security recommended organizations:<\/p>\n