MLOps Platform OpenClaw Hit By Massive Breach

The "ClawJacked" vulnerability, identified as CVE-2026-25253, was a critical flaw in the OpenClaw framework that allowed malicious websites to hijack locally running AI agents. Security researchers from Oasis Security discovered that the gateway service's assumption of trust for connections from the user's own machine (localhost) created a significant security hole. This vulnerability enabled attackers to use WebSockets to silently connect to the OpenClaw instance from a browser tab, without any user interaction or warning. The attack was particularly effective because OpenClaw's gateway exempted the loopback address from rate limiting, which is designed to prevent brute-force attacks. This oversight allowed attackers to guess passwords at a rate of hundreds of attempts per second, making it trivial to breach human-chosen passwords. Once authenticated, the attacker could gain full administrative permissions, steal credentials, read private messages, and exfiltrate files. The security crisis unfolded over a three-week period in early 2026, escalating from a silently patched vulnerability on January 29th to the discovery of over 800 malicious "skills" (plugins) on ClawHub by mid-February. The number of publicly exposed OpenClaw instances surged from around 1,000 to over 135,000 during this time. The crisis also included a supply chain attack where a popular command-line tool, Cline CLI, was compromised to stealthily install OpenClaw on users' machines. Prior to the "ClawJacked" disclosure, OpenClaw, a project that grew to over 100,000 GitHub stars in just two months, had already faced scrutiny for insecure defaults. Many users, in their rush to deploy the popular AI agent, left the control interface accessible from the public internet. This misconfiguration, combined with a lack of mandatory authentication on the Model Context Protocol (MCP) in earlier versions, exposed credentials, private chat histories, and agent control functions.