ClawHosters
by Daniel Samer
4 min read
Any website could hijack your locally running OpenClaw agent. No clicks, no permissions, no user interaction at all. That's the reality Oasis Security uncovered with CVE-2026-25253, a vulnerability they nicknamed "ClawJacked." OpenClaw v2026.2.25, released February 26 by 24 contributors, patches it along with 30+ other security fixes.
If you self-host OpenClaw, update now.
How ClawJacked Works
The attack is surprisingly simple. You visit a malicious website. Hidden JavaScript opens a WebSocket connection to localhost on your OpenClaw gateway port. Browsers don't block WebSocket-to-localhost connections the way they block regular cross-origin requests. The script brute-forces your gateway password at hundreds of attempts per second (there was no rate limiting) and, because OpenClaw auto-approved device pairings from localhost, the attacker gets registered as a trusted device.
From there? Full agent takeover. Shell commands, API keys, connected services like Slack and Telegram. As CSO Online reported, Jason Soroko of Sectigo called the browser "a porous membrane, permitting untrusted JavaScript to bridge the gap to local services via WebSockets."
The OpenClaw team fixed it within 24 hours of disclosure. The v2026.2.25 release now enforces origin validation on browser WebSocket clients, throttles password-auth failures on loopback, and blocks auto-approval for unpaired devices.
Beyond ClawJacked: The Other 30+ Fixes
ClawJacked is the headline, but it's not the whole story. This release touches almost every surface of the security model. Reaction events on Discord, Slack, Signal, and Telegram now enforce channel authorization. Filesystem sandbox escapes via symlinks and hardlinks are blocked. Webhook authentication for Nextcloud Talk and LINE rejects unsigned traffic before reading the body. OAuth cleanup removes a PKCE verifier leak. And IPv6 SSRF protection now classifies multicast addresses as private targets.
If you've been following the previous security release, this continues that hardening trajectory.
Android and Subagent Improvements
Android users get GitHub-flavored markdown rendering, better streaming under spotty connections, and faster cold starts. Small but noticeable.
The bigger architectural change is the subagent dispatch refactor. It's been rebuilt as an explicit queue/direct/fallback state machine, replacing the old implicit dispatch logic. For multi-agent setups, this means more reliable agent-to-agent communication. One breaking change to watch: heartbeat DM delivery defaults flipped from "block" to "allow." Check your config if that matters to you.
What ClawHosters Customers Should Know
If you're on a managed ClawHosters plan, you're already patched. We rolled out v2026.2.25 across all managed instances within hours of release. That's the point of managed hosting. You don't have to track CVEs or scramble to update at midnight.
For self-hosters, the security hardening guide covers the basics. But if you'd rather not worry about it, we handle that part.
