ClawJacked Vulnerability in OpenClaw AI Agent Enables Data Hijacking

Overview of the ClawJacked Attack

OpenClaw is an open-source framework designed for autonomous AI agents that users frequently deploy locally to manage workflows and automate interactions with Large Language Models (LLMs). Researchers at Salt Security recently identified a high-severity vulnerability, designated as “ClawJacked,” which allows a malicious website visited by a user to silently hijack an OpenClaw instance running on the same machine. According to BleepingComputer, the flaw stems from a lack of origin validation and missing security headers, enabling cross-site requests to reach the local application interface.

Technical Analysis of the OpenClaw Vulnerability

OpenClaw instances typically listen on localhost (127.0.0.1) at port 8000. Because web browsers allow public websites to send requests to local IP addresses, a malicious page can execute scripts that probe the user’s local network environment. This Zero-Day style discovery exploits the absence of Cross-Origin Resource Sharing (CORS) restrictions within the OpenClaw architecture. An attacker can use JavaScript to send unauthorized requests to the OpenClaw API from a remote domain.

If the user has not configured a password, or if they are using a weak credential that can be brute-forced via automated browser requests, the malicious script effectively gains administrative control over the agent. This specific TTP is dangerous because the attack originates from within the user’s trusted browser session, allowing the threat actor to bypass local network firewalls. While no CVE has been officially assigned at the time of this report, the potential for unauthorized access suggests a high CVSS severity level.

Mitigating Local API Hijacking via ClawJacked

The primary danger of this vulnerability lies in the exfiltration of “provider keys.” These are the sensitive API tokens for services such as OpenAI, Anthropic, or Google Gemini that are stored within the OpenClaw environment to facilitate AI operations. If an attacker gains control of the instance, they can extract these keys, resulting in significant financial costs and potential data exposure. Furthermore, if the agent is configured with permissions to access the local file system or execute shell commands, the impact could escalate to RCE, allowing the attacker to fully compromise the host machine.

This vulnerability highlights a significant gap in the OpenClaw AI agent security configuration. Many users operate under the assumption that services restricted to the loopback interface are inherently secure from web-based threats. However, this assumption violates Zero Trust principles, which require that every request—regardless of its origin—must be authenticated and authorized. Practitioners researching how to detect ClawJacked exploit attempts should monitor for unexpected POST or GET requests originating from external web domains targeting local port 8000.

Detection and Security Configuration Best Practices

To defend against ClawJacked, users should immediately update to the latest version of OpenClaw, which includes improved origin validation and security headers. For environments where an immediate update is not feasible, enforcing a complex password for the web UI is a mandatory step to prevent automated brute-force attacks.

Security teams can utilize the MITRE ATT&CK framework to map and monitor browser-based lateral movement attempts. Implementing IoC monitoring for unusual loopback requests can provide an early warning of an ongoing hijacking attempt. Furthermore, ensuring that Phishing protections are updated will help prevent users from visiting the malicious sites that serve as the initial vector for this exploit. Organizations should also consider restricting browser access to local administrative ports through endpoint policy or host-based firewalls to ensure that the local API remains isolated from the public internet.