Your personal OpenClaw agent may also be taking orders from malicious websites
Summary
Researchers at Oasis Security discovered a vulnerability chain, dubbed ClawJacked (CVE-2026-25253), in OpenClaw that allows malicious websites to gain full control of a locally running agent by exploiting the implicit trust of "localhost" connections. By bypassing rate limits and enabling unauthorized device pairing, attackers can access the agent's privileges, workflows, and credentials. OpenClaw promptly fixed the flaw after being notified.
IFF Assessment
Attackers can exploit a flaw in OpenClaw to gain unauthorized access and control of local AI agents.
Severity
Defender Context
This highlights the danger of trusting "localhost" connections in modern web applications. Defenders should ensure proper authentication and authorization mechanisms are in place, even for local services, and implement rate limiting to prevent brute-force attacks. The incident demonstrates the increasing attack surface of AI agents and the importance of secure development practices.