{"id":44020,"date":"2026-02-28T06:25:25","date_gmt":"2026-02-27T22:25:25","guid":{"rendered":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/28\/clawjacked-vulnerability-in-openclaw-could-let-websites-hijack-ai-agents\/"},"modified":"2026-02-28T06:25:25","modified_gmt":"2026-02-27T22:25:25","slug":"clawjacked-vulnerability-in-openclaw-could-let-websites-hijack-ai-agents","status":"publish","type":"post","link":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/2026\/02\/28\/clawjacked-vulnerability-in-openclaw-could-let-websites-hijack-ai-agents\/","title":{"rendered":"ClawJacked Vulnerability in OpenClaw Could Let Websites Hijack AI Agents"},"content":{"rendered":"\n<p>It has been a whirlwind few months for Peter Steinberger and his creation, <a href=\"https:\/\/hackread.com\/tag\/OpenClaw\/\" target=\"_blank\" data-type=\"post_tag\" data-id=\"29681\" rel=\"noreferrer noopener\">OpenClaw<\/a>. The AI tool, which acts as a personal assistant for developers, exploded in popularity, racking up 100,000 GitHub stars in less than a week. It even caught the eye of OpenAI\u2019s Sam Altman, who recently <a href=\"https:\/\/www.forbes.com\/sites\/ronschmelzer\/2026\/02\/16\/openai-hires-openclaw-creator-peter-steinberger-and-sets-up-foundation\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">brought<\/a> Steinberger on board, calling him a genius. But according to researchers at Oasis Security, that rapid success came with a hidden danger.<\/p>\n<p>The Oasis Research team has just released details on ClawJacked (<a href=\"https:\/\/nvd.nist.gov\/vuln\/detail\/CVE-2026-25253\" target=\"_blank\" rel=\"noreferrer noopener\">CVE-2026-25253<\/a>), a significant vulnerability chain that effectively allowed any website to take over a person\u2019s AI agent. For your information, this isn&#8217;t a problem with a fancy plugin or a shady download; it was a flaw in the main gateway of the software itself. Because the tool is designed to trust connections from the user\u2019s own computer, it left a door wide open for hackers.<\/p>\n<h3><strong>The Silent Hijack<\/strong><\/h3>\n<p>Oasis\u2019s research revealed a clever trick involving WebSockets. Normally, your web browser is quite good at keeping different websites from messing with your local files. However, WebSockets are an exception because they are designed to stay &#8220;always-on&#8221; to send data back and forth quickly.<\/p>\n<p>According to researchers, the OpenClaw gateway assumed that if a connection was coming from the user&#8217;s own machine (localhost), it must be safe. However, this is a dangerous assumption; if a developer running OpenClaw accidentally landed on a malicious website, a hidden script on that page could quietly reach out through a <a href=\"https:\/\/hackread.com\/excessive-expansion-vulnerabilities-jenkins-servers\/\" target=\"_blank\" rel=\"noreferrer noopener\">WebSocket<\/a> and talk directly to the AI tool running in the background. The user wouldn&#8217;t see a pop-up or warning.<\/p>\n<h3><strong>Proving the Threat<\/strong><\/h3>\n<p>To show just how serious this was, the team built a proof-of-concept to test the attack. They demonstrated the hijack &#8220;all without the user seeing any indication that anything had happened.&#8221; During this test, their script successfully guessed the password, connected with full permissions, and began interacting with the <a href=\"https:\/\/hackread.com\/flowable-2025-2-multi-agent-ai-orchestration-enterprises\/\" target=\"_blank\" rel=\"noreferrer noopener\">AI agent<\/a> from a completely unrelated website.<\/p>\n<p>The speed of the attack was the most alarming part. The software didn&#8217;t have a limit on how many times someone could try a password if they were connecting from the same machine. Researchers noted in the <a href=\"https:\/\/www.oasis.security\/blog\/openclaw-vulnerability\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">blog post<\/a> that they could guess hundreds of passwords every second, concluding that &#8220;a human-chosen password doesn&#8217;t stand a chance&#8221; against that kind of speed.<\/p>\n<figure>\n<div> <iframe loading=\"lazy\" title=\"OpenClaw Vulnerability: Browser Tab to Agent Takeover\" width=\"1200\" height=\"675\" src=\"https:\/\/www.youtube.com\/embed\/A15fuHs7fOc?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe> <\/div>\n<\/figure>\n<h3><strong>The Fix<\/strong><\/h3>\n<p>Once the script guessed the password, the attacker gained admin-level permission, and from this position, they could read private Slack messages, steal API keys, and even command the AI to search for and exfiltrate files from the computer.<\/p>\n<p>Thankfully, the OpenClaw team\u2019s response was incredibly fast. After being alerted to the mess, the team released a fix within just 24 hours. If you are using this tool, you need to update to version 2026.2.25 or later immediately to stay safe.<\/p>\n<div style='margin: 8px auto; text-align: center; display: block; clear: both;'> <script async src=\"https:\/\/pagead2.googlesyndication.com\/pagead\/js\/adsbygoogle.js?client=ca-pub-3675825324474978\"      crossorigin=\"anonymous\"><\/script>  <ins      style=\"display:inline-block;width:300px;height:250px\"      data-ad-client=\"ca-pub-3675825324474978\"      data-ad-slot=\"3421156210\"><\/ins> <script>      (adsbygoogle = window.adsbygoogle || []).push({}); <\/script><\/div>\n<p>This news comes shortly after a separate issue earlier this month, where over 1,000 malicious skills were found in OpenClaw&#8217;s community marketplace, showing that hackers are specifically targeting this new technology.<\/p>\n<h3><strong>Expert Perspectives<\/strong><\/h3>\n<p>In response to the discovery, the following insights were shared with Hackread.com. Diana Kelley, Chief Information Security Officer at Noma Security, notes that this is a vital reminder that AI agents must be treated as highly privileged systems. &#8220;The core issue was misplaced trust in local connections. \u2018Local\u2019 does not automatically mean \u2018safe,\u2019&#8221; she explained. Kelley advises organisations to strictly review how their AI tools handle authentication and user approval.<\/p>\n<p>Randolph Barr, Chief Information Security Officer at Cequence Security, points out that this flaw, dubbed &#8220;ClawJacked,&#8221; highlights a gap where product usefulness grew faster than security. &#8220;The design focused on making the developer experience as smooth as possible&#8230; this made adoption faster but also made defensive controls less effective,&#8221; Barr said. He warns that in the age of AI, a quick patch might not be enough, as these agents often have the authority to act with the full permissions of the user.<\/p>\n<p>Mark McClain, Chief Executive Officer at SailPoint, concludes that this incident should be a wake-up call for identity security. &#8220;These agents are no longer just tools for communication. They are powerful, always-on identities embedded in critical workflows,&#8221; McClain said. He stresses that organisations must treat AI agents as &#8220;first-class citizens&#8221; in their security frameworks, applying the same rigour to them as they do to human employees.<\/p>\n<div >\n<div>\n<div>\n<div>\n<h5> \t\t\t\t\t\t<a href=\"https:\/\/hackread.com\/author\/deeba\/\" rel=\"author\"> \t\t\t\t\t\t\tDeeba Ahmed\t\t\t\t\t\t<\/a> \t\t\t\t\t<\/h5>\n<div> \t\t\t\t\t\t\t<a href=\"https:\/\/hackread.com\/author\/deeba\/\" rel=\"author\"> \t\t\t\t\t\t\t\t<img src='https:\/\/secure.gravatar.com\/avatar\/9fefbe13a37a8aeb4620dfe89bb7feabd9433643ff382b6b882f27837a4cfb72?s=80&#038;d=mm&#038;r=g' srcset='https:\/\/secure.gravatar.com\/avatar\/9fefbe13a37a8aeb4620dfe89bb7feabd9433643ff382b6b882f27837a4cfb72?s=160&#038;d=mm&#038;r=g 2x' height='80' width='80' alt=\"ClawJacked Vulnerability in OpenClaw Could Let Websites Hijack AI Agents\" \/>\t\t\t\t\t\t\t<\/a> \t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t\t\t\t\t\t\tDeeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform\u2019s trusted coverage.\t\t\t\t\t\t\t<\/div>\n<div>\n<div> \t\t<a href=\"https:\/\/hackread.com\/author\/deeba\/\" target=\"\"> \t\t\tView Posts\t\t<\/a> \t<\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/p><\/div>\n","protected":false},"excerpt":{"rendered":"<p>It has been a whirlwind few months for Peter Steinberge [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[],"class_list":["post-44020","post","type-post","status-publish","format-standard","hentry","category-hackread"],"_links":{"self":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/44020","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/comments?post=44020"}],"version-history":[{"count":0,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/posts\/44020\/revisions"}],"wp:attachment":[{"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/media?parent=44020"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/categories?post=44020"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nuoya.nuoyayasuo.top\/index.php\/wp-json\/wp\/v2\/tags?post=44020"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}