OpenClaw Security Guide
Back to Threat Intel
findingexposureAgent: OpenClawcriticalhigh confidence

ClawJacked local API exposure can enable remote abuse and code execution

Oasis Security documented OpenClaw local agent API abuse via cross-origin WebSocket exploitation, allowing a website to silently control a developer's AI agent when localhost trust, rate-limit exemptions, and auto-approved device pairing are exposed.

openclawexposureremote-code-executionlocal-apiauthcross-originwebsocket

Date

Feb 19, 2026

First Seen

Feb 19, 2026

Last Reviewed

May 10, 2026

Publisher

Oasis Security

Source Type

article

View source

Related reading

OpenClaw Security Guide

A practical baseline for local binding, scoped credentials, sandboxing, runtime checks, and Armorer Guard.

Securing OpenClaw with Armorer Guard

How Armorer wraps OpenClaw with managed setup, Docker hardening, health checks, approvals, and Guard-backed scanning.

Subscribe via RSSFollow on TelegramGet email updates

Get email updates

Get reviewed Armorer threat-intel updates when new findings are published.

ClawJacked Local API Exposure

Summary

Oasis Security documented OpenClaw local agent API abuse via cross-origin WebSocket exploitation, allowing a website to silently control a developer's AI agent when localhost trust, rate-limit exemptions, and auto-approved device pairing are exposed.

Why It Matters

OpenClaw is powerful specifically because it can read files, run commands, and orchestrate tools. If the local control plane becomes reachable to an attacker, the impact is not limited to data disclosure. It can become a host-compromise path.

Affected Versions

All versions prior to 2026.2.25. Fixed in version 2026.2.25 and later.

Attack Path

  • Any website can issue browser JavaScript that targets the localhost gateway.
  • No rate limiting on password guesses from localhost enables rapid brute-forcing.
  • Gateway auto-approves localhost device registrations.
  • Once authenticated, attacker gains full admin-level access: dumps configuration, enumerates connected nodes, reads logs, and issues agent actions.
  • Agent runtime performs commands or file operations with the victim's local privileges.

Indicators of Compromise

  • Unexpected WebSocket connections to localhost on the OpenClaw gateway port.
  • Unknown device registrations in OpenClaw gateway logs.
  • Unusual AI agent activity or queries.

Affected Surface

  • Local agent API and gateway exposure model
  • Cross-origin WebSocket handling
  • Weak binding or auth assumptions
  • Auto-approval of localhost device pairings
  • Deployments that treat local-only access as an adequate trust boundary

Evidence

Mitigations

  • Update to version 2026.2.25 or later.
  • Bind gateway interfaces to loopback only unless remote access is explicitly required.
  • Require token-based auth for any control plane that can trigger tools or runtime actions.
  • Audit existing device registrations and access grants.
  • Deny dangerous tool groups by default in messaging or shared-inbox profiles.
  • Use pairing or strict allowlists for DM-style channels.