ClawJacked: Cross-origin WebSocket exploitation and full OpenClaw compromise
Oasis Security follow-up article published 2026-05-10 providing explicit version scope, technical attack chain details, and indicators of compromise for the ClawJacked vulnerability class.
Date
May 10, 2026
First Seen
May 10, 2026
Last Reviewed
May 10, 2026
Publisher
Oasis Security
Source Type
article
Related reading
OpenClaw Security GuideA practical baseline for local binding, scoped credentials, sandboxing, runtime checks, and Armorer Guard.
Securing OpenClaw with Armorer GuardHow Armorer wraps OpenClaw with managed setup, Docker hardening, health checks, approvals, and Guard-backed scanning.
Source Summary
What It Contains
Oasis Security follow-up article published 2026-05-10 providing explicit version scope, technical attack chain details, and indicators of compromise for the ClawJacked vulnerability class.
Extracted Claims
- Vulnerability name: ClawJacked
- Severity: High (vendor classified)
- Affected versions: All versions prior to 2026.2.25
- Fixed version: 2026.2.25 and later
- Attack vector: Cross-origin WebSocket exploitation from browser JavaScript on any website
- Root cause: Gateway trusts localhost connections unconditionally, exempts them from rate limiting, and auto-approves device pairings
- Exploitability: Attacker can brute-force gateway password at hundreds of attempts per second, register as a trusted device, then access the AI agent, dump configuration, enumerate connected nodes, and read logs
- Full admin-level access achievable once authenticated
Indicators of Compromise
- Unexpected WebSocket connections to localhost on the OpenClaw gateway port
- Unknown device registrations in OpenClaw gateway logs
- Unusual AI agent activity or queries
Recommendation
Update to version 2026.2.25+ immediately and audit access granted to AI agents.
Evidence Quality
Primary source; vendor advisory with explicit version scope and IoC detail. High confidence.