ClawJacked: Critical Local Agent Hijacking
Overview
CVE-2026-27004 (ClawJacked) is a critical vulnerability that allowed malicious websites to connect to locally running OpenClaw agents and brute-force passwords without limits.
The Vulnerability
Attack Vector
- Malicious websites could connect to locally running OpenClaw instances
- Unlimited password brute-forcing possible
- Session data exposure in multi-user deployments
Impact
- Unauthorized access to agent controls
- Potential data exfiltration
- Command execution via compromised agents
Discovery
Reported by: CSO Online, The Hacker News
Date: February 28, 2026
Severity: Critical
Mitigation
Immediate Actions
- Update to OpenClaw 2026.2.23 immediately
- Enable optional HSTS headers on Gateway
- Implement strong authentication on all agent endpoints
Network Security
- Never expose Gateway to open internet
- Use Tailscale/VPN for remote access
- Implement network segmentation
Authentication Hardening
- Strong, unique passwords
- Multi-factor authentication where possible
- Regular credential rotation
Prevention Best Practices
- Network Isolation: Run agents on isolated networks
- Access Control: Implement least-privilege access
- Monitoring: Log all authentication attempts
- Updates: Apply security patches immediately
References
- CSO Online (February 28, 2026)
- The Hacker News (March 1, 2026)
- OpenClaw 2026.2.23 Release Notes