openclaw critical exploit full admin hijacking thumbnail

OpenClaw Critical Exploit Could Enable Full Admin Hijacking, Researchers Warn

A newly disclosed OpenClaw critical exploit let a malicious website target a locally running OpenClaw instance, brute-force its gateway access, and turn that browser-origin session into full administrative control of the host environment before the project pushed emergency mitigations.

TLDR Keypoints

  • Oasis Security said the ClawJacked chain began with a malicious website opening a localhost connection to a user’s OpenClaw gateway.
  • OpenClaw v2026.2.25, released on February 26, 2026, added origin checks, browser-origin localhost throttling, and a block on silent auto-pairing.
  • Microsoft Defender Security Research said OpenClaw should be isolated from standard personal and enterprise workstations.

What made the disclosure unusually severe was its starting point: the attacker did not need local shell access first. Oasis Security wrote that simply visiting a malicious website could trigger the browser-to-local takeover chain against an OpenClaw instance already running on the same machine.

How the ClawJacked Exploit Could Turn a Malicious Website Into an OpenClaw Admin Session

The Oasis disclosure said the malicious page could open a WebSocket connection to localhost, where OpenClaw’s gateway was listening, and then drive password guessing directly from the browser. That kept the initial foothold firmly in endpoint territory, not in token markets or blockchain infrastructure.

Oasis said browser JavaScript could push hundreds of password guesses per second against the local gateway. Once the password fell, the attacker could silently pair as a trusted device instead of stopping at a one-off session.

The Exploit Chain Step by Step

  1. A malicious website opened a direct browser connection to the victim’s localhost OpenClaw gateway.
  2. That browser session then ran hundreds of password guesses per second until the gateway password was recovered.
  3. After the password was guessed, Oasis said the attacker could register as a trusted device and inherit an authenticated admin session.

According to Oasis, that authenticated session carried admin-level permissions that exposed configuration data, connected nodes, and local logs. The researchers said the result was effective full workstation compromise, because the gateway sat close to sensitive runtime state rather than behind a strongly isolated boundary.

What OpenClaw Fixed in v2026.2.25 After the Disclosure

OpenClaw shipped v2026.2.25 on February 26, 2026, and the official release notes say Gateway WebSocket authentication now enforces origin checks for direct browser clients beyond the Control UI and Webchat. That change matters because the ClawJacked chain depended on a website being able to talk directly to the local gateway from the browser.

The same release notes say browser-origin loopback password attempts, including localhost, are now throttled. OpenClaw also said it now blocks silent auto-pairing for non-Control-UI browser clients to prevent the cross-origin brute-force and session takeover chain described by the researchers.

Patch Details and Disclosure Timeline

The Hacker News reported that the fix landed in less than 24 hours after responsible disclosure. That quick turnaround is one of the cleaner established facts in this case, and it anchors the story to the patch rather than to rumor-driven retellings.

The distinction matters because weaker rewrites have blurred this bug into older OpenClaw issues. The verified evidence set here is narrower: a malicious website could seize control of a local OpenClaw admin session, and v2026.2.25 was the release that introduced the browser-facing safeguards meant to break that chain.

Why the OpenClaw Flaw Matters Beyond a Single Patch

The risk was broader than an exposed dashboard. If an attacker can read configuration, enumerate connected nodes, and pull logs from an authenticated admin session, the compromise extends into the workstation that hosts OpenClaw and whatever credentials or operational context sit beside it, which is why Oasis framed the outcome as effective workstation takeover.

Deployment and Isolation Implications After the Patch

Microsoft Defender Security Research wrote that OpenClaw should be treated as untrusted code execution with persistent credentials and should not run on a standard personal or enterprise workstation. That is the strongest deployment warning in the verified source set, and it shifts the discussion from bug severity alone to where the software belongs operationally.

The practical takeaway is about endpoint security posture, not price action. That control-plane framing also fits nftenex’s recent coverage of AgentKit’s AI trust gap, the FBI’s crypto price-rigging sting, and Moody’s review of Bitcoin-backed bond risk, where software trust, custody assumptions, and control failures mattered more than headline market moves.

For operators, the immediate baseline is to move to v2026.2.25 and revisit whether OpenClaw is running on a machine that should ever hold day-to-day user activity. The patch closes the disclosed browser-to-local takeover path, but Microsoft’s guidance suggests the deeper lesson is that OpenClaw still warrants isolation even after the specific chain was fixed.

Disclaimer: This article is for informational purposes only and does not constitute financial or investment advice. Cryptocurrency and digital asset markets carry significant risk. Always do your own research before making decisions.