OpenClaw users have been urged to upgrade to the latest version of the tool after researchers revealed how an indirect prompt injection attack could give adversaries full remote control.
The “ClawJacked” bug is a high-severity issue in the popular AI assistant platform.
“At its core, OpenClaw runs a gateway, a local WebSocket server that acts as the brain of the operation. The gateway handles authentication, manages chat sessions, stores configuration and orchestrates the AI agent,” Oasis Security explained.
“Connected to the gateway are nodes – these can be the macOS companion app, an iOS device, or other machines. Nodes register with the gateway and expose capabilities, running system commands, accessing the camera, reading contacts and more. The gateway can dispatch commands to any connected node.”
The problem is that the gateway binds to localhost by default, because it assumes that local access is inherently trusted. However, if a user visits a malicious site, this assumption breaks down.
The report explained that an attack could look like this:
- JavaScript on the page opens a WebSocket connection to localhost on the OpenClaw gateway port. This is permitted because WebSocket connections to localhost are not blocked by cross-origin policies
- The script brute-forces the gateway password at hundreds of attempts per second. The gateway’s rate limiter exempts localhost connections entirely
- Once authenticated, the script silently registers as a trusted device. The gateway auto-approves device pairings from localhost with no user prompt
One these steps have been achieved, the attacker has full control over the OpenClaw instance – enabling them to interact with the agent, dump configuration data, enumerate connected devices and read logs, Oasis Security warned.
Read more on OpenClaw: Researchers Find 40,000+ Exposed OpenClaw Instances.
Users Urged to Update OpenClaw
The research team urged OpenClaw users to upgrade to version 2026.2.25 or later immediately, praising the volunteers that manage the open source project for their swift fix.
However, this is just one of many OpenClaw security scares to surface over recent weeks. Numerous vulnerabilities and hundreds of malicious add-ons (“skills”) have been discovered in the platform ecosystem, and infostealers are known to be targeting the popular AI tool.
Oasis Security recommended organizations:
- Gain visibility into all of their AI usage by inventorying which agents and assistants are running across developer environments
- Update all OpenClaw instances immediately to the latest version
- Review access rights granted to AI agents and revoke anything that isn’t actively required
- Establish governance strategy for non-human identities based around intent analysis, policy enforcement, just-in-time access and a full audit trail “from human to agent to action”
