Category: Uncategorized

OpenClaw has fixed a high-severity security issue that, if successfully exploited, could have allowed a malicious website to connect to a locally running artificial intelligence (AI) agent and take over control.

“Our vulnerability lives in the core system itself – no plugins, no marketplace, no user-installed extensions – just the bare OpenClaw gateway, running exactly as documented,” Oasis Security said in a report published this week.

The flaw has been codenamed ClawJacked by the cybersecurity company.

The attack assumes the following threat model: A developer has OpenClaw set up and running on their laptop, with its gateway, a local WebSocket server, bound to localhost and protected by a password. The attack kicks in when the developer lands on an attacker-controlled website through social engineering or some other means.

The infection sequence then follows the steps below –

• Malicious JavaScript on the web page opens a WebSocket connection to localhost on the OpenClaw gateway port.
• The script brute-forces the gateway password by taking advantage of a missing rate-limiting mechanism.
• Post successful authentication with admin-level permissions, the script stealthily registers as a trusted device, which is auto-approved by the gateway without any user prompt.
• The attacker gains complete control over the AI agent, allowing them to interact with it, dump configuration data, enumerate connected nodes, and read application logs.

“Any website you visit can open one to your localhost. Unlike regular HTTP requests, the browser doesn’t block these cross-origin connections,” Oasis Security said. “So while you’re browsing any website, JavaScript running on that page can silently open a connection to your local OpenClaw gateway. The user sees nothing.”

“That misplaced trust has real consequences. The gateway relaxes several security mechanisms for local connections – including silently approving new device registrations without prompting the user. Normally, when a new device connects, the user must confirm the pairing. From localhost, it’s automatic.”

Following responsible disclosure, OpenClaw pushed a fix in less than 24 hours with version 2026.2.25 released on February 26, 2026. Users are advised to apply the latest updates as soon as possible, periodically audit access granted to AI agents, and enforce appropriate governance controls for non-human (aka agentic) identities.

The development comes amid a broader security scrutiny of the OpenClaw ecosystem, primarily stemming from the fact that AI agents hold entrenched access to disparate systems and the authority to execute tasks across enterprise tools, leading to a significantly larger blast radius should they be compromised.

Reports from Bitsight and NeuralTrust have detailed how OpenClaw instances left connected to the internet pose an expanded attack surface, with each integrated service further broadening the blast radius and can be transformed into an attack weapon by embedding prompt injections in content (e.g., an email or a Slack message) processed by the agent to execute malicious actions.

The disclosure comes as OpenClaw also patched a log poisoning vulnerability that allowed attackers to write malicious content to log files via WebSocket requests to a publicly accessible instance on TCP port 18789.

Since the agent reads its own logs to troubleshoot certain tasks, the security loophole could be abused by a threat actor to embed indirect prompt injections, leading to unintended consequences. The issue was addressed in version 2026.2.13, which was shipped on February 14, 2026.

“If the injected text is interpreted as meaningful operational information rather than untrusted input, it could influence decisions, suggestions, or automated actions,” Eye Security said. “The impact would therefore not be ‘instant takeover,’ but rather: manipulation of agent reasoning, influencing troubleshooting steps, potential data disclosure if the agent is guided to reveal context, and indirect misuse of connected integrations.”

In recent weeks, OpenClaw has also been found susceptible to multiple vulnerabilities (CVE-2026-25593, CVE-2026-24763, CVE-2026-25157, CVE-2026-25475, CVE-2026-26319, CVE-2026-26322, CVE-2026-26329), ranging from moderate to high severity, that could result in remote code execution, command injection, server-side request forgery (SSRF), authentication bypass, and path traversal. The vulnerabilities have been addressed in OpenClaw versions 2026.1.20, 2026.1.29, 2026.2.1, 2026.2.2, and 2026.2.14.

“As AI agent frameworks become more prevalent in enterprise environments, security analysis must evolve to address both traditional vulnerabilities and AI-specific attack surfaces,” Endor Labs said.

Elsewhere, new research has demonstrated that malicious skills uploaded to ClawHub, an open marketplace for downloading OpenClaw skills, are being used as conduits to deliver a new variant of Atomic Stealer, a macOS information stealer developed and rented by a cybercrime actor known as Cookie Spider.

“The infection chain begins with a normal SKILL.md that installs a prerequisite,” Trend Micro said. “The skill appears harmless on the surface and was even labeled as benign on VirusTotal. OpenClaw then goes to the website, fetches the installation instructions, and proceeds with the installation if the LLM decides to follow the instructions.”

The instructions hosted on the website “openclawcli.vercel[.]app” include a malicious command to download a stealer payload from an external server (“91.92.242[.]30”) and run it.

Threat hunters have also flagged a new malware delivery campaign in which a threat actor by the name @liuhui1010 has been identified, leaving comments on legitimate skill listing pages, urging users to explicitly run a command they provided on the Terminal app if the skill “doesn’t work on macOS.”

The command is designed to retrieve Atomic Stealer from “91.92.242[.]30,” an IP address previously documented by Koi Security and OpenSourceMalware for distributing the same malware via malicious skills uploaded to ClawHub.

What’s more, a recent analysis of 3,505 ClawHub skills by AI security company Straiker has uncovered no less than 71 malicious ones, some of which posed as legitimate cryptocurrency tools but contained hidden functionality to redirect funds to threat actor-controlled wallets.

Two other skills, bob-p2p-beta and runware, have been attributed to a multi-layered cryptocurrency scam that employs an agent-to-agent attack chain targeting the AI agent ecosystem. The skills have been attributed to a threat actor who operates under the aliases “26medias” on ClawHub and “BobVonNeumann” on Moltbook and X.

“BobVonNeumann presents itself as an AI agent on Moltbook, a social network designed for agents to interact with each other,” researchers Yash Somalkar and Dan Regalado said. “From that position, it promotes its own malicious skills directly to other agents, exploiting the trust that agents are designed to extend to each other by default. It’s a supply chain attack with a social engineering layer built on top.”

What bob-p2p-beta does, however, is instruct other AI agents to store Solana wallet private keys in plaintext, purchase worthless $BOB tokens on pump.fun, and route all payments through an attacker-controlled infrastructure. The second skill claims to offer a benign image generation tool to build the developer’s credibility.

Given that ClawHub is becoming a new fertile ground for attackers, users are advised to audit skills before installing them, avoid providing credentials and keys unless it’s essential, and monitor skill behavior.

The security risks associated with self-hosted agent runtimes like OpenClaw have also prompted Microsoft to issue an advisory, warning that unguarded deployment could pave the way for credential exposure/exfiltration, memory modification, and host compromise if the agent can be tricked into retrieving and running malicious code either through poisoned skills or prompt injections.

“Because of these characteristics, OpenClaw should be treated as untrusted code execution with persistent credentials,” the Microsoft Defender Security Research Team said. “It is not appropriate to run on a standard personal or enterprise workstation.”

“If an organization determines that OpenClaw must be evaluated, it should be deployed only in a fully isolated environment such as a dedicated virtual machine or separate physical system. The runtime should use dedicated, non-privileged credentials and access only non-sensitive data. Continuous monitoring and a rebuild plan should be part of the operating model.”

Iran’s supreme leader Ali Khamenei has been killed in Israeli air strikes, according to the country’s intelligence service.

The Ayatollah’s body was recovered from rubble, riddled with shrapnel wounds, after his Tehran compound was struck by as many as 30 bombs on Saturday.

Photographic proof of the successful assassination was shown to Donald Trump, the US president, and Benjamin Netanyahu, the Israeli prime minister.

Mr Trump told NBC News the White House felt it was a “correct story” that Khamenei had been killed, along with “a large number” of the regime’s leaders.

The death represents the most serious blow to the Iranian regime since the revolution of 1979, when the ayatollahs swept into power.

The US and Israel urged Iranians to force regime change, and some Iranians took to the streets of Tehran on Saturday night in celebration.

Israel carried out a strike on Khamenei’s compound in the opening salvo of attacks on Iran on Saturday morning.

On Saturday night, Iran was firing missiles and drones at civilian targets across the Middle East after the offensive against the Islamic regime.

A five-star hotel in Dubai, several residential buildings in Bahrain and Kuwait’s international airport were struck as Tehran retaliated with a barrage of drones and ballistic missiles.

Credit: X/@adrianopmi and @ruperttait

Mohammad Pakpour, the chief of Iran’s Revolutionary Guards (IRGC), and Amir Nasirzadeh, its defence minister, were also killed in strikes expected to last several days.

The assault was the largest military flyover in the history of the Israeli air force, targeting military bases, nuclear sites and government buildings across Iran.

Mr Trump monitored the operation from Mar-a-Lago, his Florida home, where he announced the beginning of the operation, named Epic Fury.

He said: “For 47 years, the Iranian regime has chanted ‘Death to America’ and waged an unending campaign of bloodshed.

“Its menacing activities directly endanger the United States, our troops, our bases overseas and our allies throughout the world. They can never have a nuclear weapon.”

Addressing Iranians, Mr Trump told troops to lay down their weapons or face certain death and called on the Iranian people to start an uprising and take control of the government.

“I say tonight that the hour of your freedom is at hand,” he said in a video posted on Truth Social.

Credit: Truth Social/ @realDonaldTrump

Mr Trump said the joint attack would last “as long as needed”, unleashing a wave of strikes that threatened to destabilise the region.

As explosions rocked Tehran and other cities, the regime vowed to carry out a “crushing” retaliation, firing missiles towards Israel and US bases in five neighbouring Gulf states.

Iran struck the US navy’s 5th Fleet headquarters in Bahrain, the most vulnerable of American bases, while debris rained down from the skies above the United Arab Emirates, Saudi Arabia, Qatar and Jordan.

Jordan said it “dealt with” 49 drones and ballistic missiles.

Credit: X/@Osinttechnical

The luxury Fairmont Palm hotel in Dubai was engulfed in flames on Saturday night after being struck by a Shahed suicide drone.

Four people were injured, and there are fears that Britons staying at the hotel, which has 391 luxury guest rooms, could be among those hurt or even killed.

Flights across the Middle East were disrupted and air defence fire thundered over Dubai. Shrapnel from an Iranian missile attack on Abu Dhabi, the UAE capital, killed one person, state media said.

The US had amassed a substantial strike force in the region while pressing Iran to cease its nuclear programme in negotiations that failed to reach an agreement on Thursday.

Sir Keir Starmer, under pressure to explain if Britain had allowed the US to use Diego Garcia, the military base of the Chagos Islands, said the UK was not involved in the attack.

“Iran can end this now,” he said in a televised address. “They should refrain from further strikes, give up their weapons programme and cease the appalling violence and repression against the Iranian people.”

Israeli air force fighter jets dropped hundreds of munitions, targeting approximately 500 objectives in several locations in Iran, including air defence systems and missile launchers.

One of the strikes targeted a site in Tabriz, western Iran. The site was used by the Iranian surface-to-surface missiles unit, which had planned to launch dozens of missiles from the site toward Israeli civilians.

The timing of the US attack is no coincidence. Mr Trump’s approval ratings are at their lowest and, with the midterm elections looming, Republicans are at risk of losing the House.

With control hanging in the balance, the president hopes a decisive blow against a foreign aggressor will help his party cling to power.

Iran’s defence ministry said it would provide weapons and equipment to continue its operation “until the enemy’s defeat”.

“As in the past, we will continue to provide complete weapons and equipment support to the brave fighters of the great Iranian nation for the continuation of ‘True promise four’ operations and the defeat of enemies,” the defence ministry said in a statement.

The IRGC blocked passage through the Strait of Hormuz, the world’s most vital oil export route in a move that risks inflating global oil prices.

The strikes could rattle global markets, particularly if Iran makes the Strait of Hormuz unsafe for commercial traffic. A third of worldwide oil exports transported by sea passed through the strait in 2025.

Mr Netanyahu later spoke to Mr Trump on the phone but details of the decision to strike Iran remained a closely guarded secret.

Israeli officials told Axios that Israel had targeted Khamenei’s sons, although intelligence suggests they survived the strikes.

Mr Trump told Axios on Saturday that he had several diplomatic “off-ramps” from the operation, which continued into Sunday.

He said: “I can go long and take over the whole thing, or end it in two or three days and tell the Iranians ‘see you again in a few years if you start rebuilding [your nuclear and missile programmes]’. In any case, it will take them several years to recover from this attack.”

In the aftermath of the attack, Mr Trump spoke with the leaders of Saudi Arabia, Qatar, the United Arab Emirates and Mark Rutte, the Nato secretary-general, according to Karoline Leavitt, the White House press secretary.

By Saturday night, the president had not shared details of the strikes and the urgency behind them with the public.

Iran had said it hoped to avert a war, but maintained its right to enrich uranium. It did not want to discuss other issues such as its long-range missile programme or support for armed groups including Hamas and Hezbollah.

Iran claims it has not enriched uranium since June, but it has blocked international inspectors from visiting the sites the US bombed during Operation Midnight Hammer last summer.

Satellite photos analysed by media outlets have shown new activity at two of those sites, suggesting Iran is trying to assess and potentially recover material.

Mr Trump had threatened military action but held off following Iran’s recent crackdown on protests spurred by economic grievances that evolved into a nationwide push against the ruling clerics. More than 7,000 people are estimated to have been killed.

Nigel Farage and Kemi Badenoch backed the strikes on Iran, while Left-wing politicians claimed that they were in breach of international law.

Mr Farage, the leader of Reform UK, urged the Prime Minister to allow the use of British military bases and “support the Americans in this vital fight”.

Mrs Badenoch, the Conservative leader, said she “stands with our allies in the US and Israel” as they “take on the threat” of Iran.

The US Secret Service and FBI said they were in a heightened state of alert for an attack by Iranian proxies and sleeper cells which are feared to have been embedded across America.

As darkness fell over the region, US and Israeli air forces began the second stage of the mission, continuing strikes deep into the night.

Video footage circulating on social media showed Iranians celebrating the supreme leader’s death, with people cheering in the streets despite the near-total internet blackout.

Additional reporting by Lily Shanagher

Try full access to The Telegraph free today. Unlock their award-winning website and essential news app, plus useful tools and expert guides for your money, health and holidays.