A critical security vulnerability in the popular OpenClaw AI agent framework has exposed thousands of users to remote hijacking and data theft, allowing attackers to gain full control of local instances through malicious websites. Dubbed ClawJacked (CVE-2026-25253), the flaw enabled unauthenticated WebSocket connections from any site a user visited, bypassing protections and granting silent admin access to steal configurations, API keys, and logs.[1][3] OpenClaw developers patched it rapidly in version 2026.2.26 after responsible disclosure by Oasis Security researchers, but not before over 135,000 instances were found exposed online, many leaking sensitive credentials.[2][4]
OpenClaw, an open-source tool that exploded to over 180,000 GitHub stars in weeks, lets AI agents run locally on users' machines, connecting to browsers, files, terminals, and services for task automation like web browsing or data processing.[1][2] According to Ars Technica, the viral AI agent's insecure defaults—especially in Docker setups binding to all network interfaces (0.0.0.0:18789)—left it wide open to the internet, even with weak passwords like "a" that attackers could brute-force.[2] Hacker News discussions highlighted how this "one-click RCE" turned developer laptops into hacker playgrounds, with probes hitting new honeypots within minutes of exposure.[4]
The impact is severe for developers, organizations, and anyone using OpenClaw without IT oversight. Security scans by firms like SecurityScorecard and Censys revealed over 12,800 directly exploitable instances, plus risks from prompt injection attacks, malicious skills on ClawHub (341 documented), and infostealers harvesting full config files with embedded API keys.[2][3] Wired reported hackers sharing leaked OpenClaw code bundled with malware, amplifying supply-chain threats alongside incidents like Cisco source code thefts.[3] Immersive Labs urged immediate uninstallation, noting adversaries now target AI agents directly via WebSocket APIs, skipping traditional exploits.[2]
Experts emphasize why this matters: AI agents like OpenClaw hold high privileges on user systems, making them riskier than typical apps. A compromised instance doesn't just leak passwords—it lets attackers impersonate users across connected services, from messaging apps to cloud storage.[1][7] Bitsight researchers found even "LAN-bound" modes vulnerable due to poor credential enforcement, with traffic showing sophisticated scans for auth bypasses and command execution.[4] Organizations face shadow IT challenges, as developers deploy these tools unchecked, exposing corporate data.
Immediate steps include updating to OpenClaw 2026.2.26 or later, auditing exposed ports (especially 18789), rotating all API keys and tokens, and using kill switches for compromised VPS setups.[1][6] TechRadar and YouTube security guides recommend network isolation, strong authentication, and scanning for infostealer remnants.[3][6] Companies should inventory AI tools, enforce least-privilege access, and monitor for prompt injections in untrusted inputs.[1][3]
Looking ahead, this incident underscores the "ship fast, secure later" pitfalls of hyped AI projects. While OpenClaw's team responded in under 24 hours to ClawJacked, ongoing issues like 900+ potentially malicious skills and 40,000+ lingering exposures signal deeper risks.[2][7] As Aikido Security noted, hardening guides can't fully mitigate a framework designed for broad access; users must weigh automation benefits against compromise potential.[7] Regulators and firms are now pushing for better defaults in AI agents to prevent widespread breaches.