Executive Summary

A critical vulnerability has been identified in the OpenClaw AI Assistant (also known as Clawdbot), which enables remote attackers to hijack the assistant and exfiltrate sensitive session credentials from users’ browsers. This flaw, disclosed by ZeroPath security researchers, allows any malicious website visited in the same browser session as the OpenClaw extension to abuse the assistant’s local browser relay server. Attackers can leverage this to steal cookies and session tokens from other open tabs, including those for high-value services such as Gmail and Microsoft 365. The vulnerability has been patched in the latest release, but exploitation in the wild has been demonstrated, and proof-of-concept code is publicly available. Organizations using OpenClaw must update immediately and review their exposure, as the attack is trivial to execute and can result in significant credential compromise. [VERIFIED - Multiple Sources]

Technical Information

The vulnerability in OpenClaw AI Assistant arises from insecure exposure of the Chrome DevTools Protocol (CDP) via a local WebSocket server. When the OpenClaw extension is active, it launches a local HTTP server on port 17892, exposing two WebSocket endpoints: /extension for the browser extension and /cdp for browser automation via CDP. The /cdp endpoint was intended to be accessible only from the local machine, but due to insufficient origin validation, any JavaScript running in any browser tab can connect to ws://127.0.0.1:17892/cdp and issue arbitrary CDP commands. [VERIFIED - Multiple Sources]

This design flaw allows a malicious website to establish a WebSocket connection to the local OpenClaw server and enumerate all active browser sessions. By sending crafted CDP commands, the attacker can extract session cookies, authentication tokens, and even execute arbitrary JavaScript in the context of other tabs. For example, an attacker can use the Runtime.evaluate method to retrieve document.cookie from any open session, including those authenticated to sensitive enterprise services. [VERIFIED - Multiple Sources]

The attack flow is as follows: a user with the vulnerable OpenClaw extension installed visits a malicious website. The site’s JavaScript payload connects to the local /cdp endpoint, enumerates browser sessions, and issues commands to extract cookies and tokens from other tabs. These credentials can then be exfiltrated to an attacker-controlled server. The attack does not require any user interaction beyond visiting the malicious site, and it bypasses same-origin policy protections by abusing the local trust boundary. [VERIFIED - Multiple Sources]

The vulnerability is tracked in the OpenClaw repository and was patched in commit a1e89afcc19efd641c02b24d66d689f181ae2b5c. The patch restricts WebSocket connections to those with a valid Chrome extension origin and implements active authentication on the /cdp endpoint, preventing unauthorized access from arbitrary browser tabs. [VERIFIED - Multiple Sources]

Proof-of-concept code demonstrating the attack is available from ZeroPath at ZeroPathAI/clawdbot-stealer-poc, and a live demonstration for unpatched versions is hosted at clawdbotstealer.s3-website-us-east-1.amazonaws.com. The attack leverages well-known browser exploitation techniques and aligns with MITRE ATT&CK techniques T1185 (Browser Session Hijacking) and T1557 (Man-in-the-Middle). [VERIFIED - Multiple Sources][UNVERIFIED - source needed] (Gemini Fact Checker could not confirm direct mapping to MITRE ATT&CK for this specific product, but the techniques are accurate.)

Indicators of compromise include unexpected WebSocket connections to ws://127.0.0.1:17892/cdp from browser tabs, outbound connections to known PoC or attacker-controlled exfiltration servers, and unusual browser automation activity or JavaScript execution in unrelated tabs. [VERIFIED - Multiple Sources]

Exploitation in the Wild

Exploitation of this vulnerability has been publicly demonstrated by security researchers, with working proof-of-concept code and live attack demos available online. While there is currently no evidence of mass exploitation or confirmed use by advanced persistent threat (APT) groups, the attack is trivial for any website a user visits while running the vulnerable OpenClaw extension. The public availability of exploit code significantly increases the risk of opportunistic attacks and credential theft campaigns targeting organizations with unpatched systems. [VERIFIED - Multiple Sources]

The attack technique is similar to those used in credential harvesting and session hijacking campaigns, including adversary-in-the-middle (AiTM) phishing kits such as evilnginx. The vulnerability’s ease of exploitation and the high value of the credentials at risk make it a prime target for both opportunistic and targeted attacks. [VERIFIED - Multiple Sources]

APT Groups using this vulnerability

As of this report, there is no public evidence attributing exploitation of the OpenClaw AI Assistant vulnerability to specific APT groups. [VERIFIED - Multiple Sources] However, the attack technique closely resembles those employed by groups specializing in credential harvesting, session hijacking, and adversary-in-the-middle operations. The MITRE ATT&CK techniques T1185 (Browser Session Hijacking) and T1557 (Man-in-the-Middle) are commonly leveraged by APT actors in campaigns targeting enterprise credentials and cloud service access. Given the public availability of exploit code and the trivial nature of the attack, it is likely that both criminal and state-sponsored actors will incorporate this technique into their toolkits if they have not already done so. [VERIFIED - Multiple Sources][UNVERIFIED - source needed] (No direct APT attribution.)

Affected Product Versions

All versions of OpenClaw AI Assistant (also known as Clawdbot) prior to version 2026.2.2 are affected by this vulnerability. This includes all releases up to and including 2026.2.1 and all earlier versions under the "openclaw" and "clawdbot" names. The first patched version is openclaw 2026.2.2, released on 2026-02-04 (commit 95cd221). Organizations running any version prior to 2026.2.2 are at risk and must update immediately. [VERIFIED - Multiple Sources]

Workaround and Mitigation

The primary mitigation is to update OpenClaw AI Assistant to version 2026.2.2 or later, which includes the necessary security patches to restrict WebSocket access and enforce authentication on the /cdp endpoint. Organizations should monitor for suspicious WebSocket activity on localhost ports used by OpenClaw, review browser extension permissions, and educate users about the risks of visiting untrusted websites while running powerful local AI assistants. If immediate update is not possible, disabling the OpenClaw extension or restricting access to the local WebSocket server via host-based firewall rules can provide temporary protection. Regularly review browser session activity and monitor for indicators of compromise, such as unexpected connections to ws://127.0.0.1:17892/cdp or outbound traffic to known attacker infrastructure. [VERIFIED - Multiple Sources]

References

ZeroPath Research Blog:Malicious Websites Can Exploit Openclaw (aka Clawdbot) To Steal Credentials, OpenClaw Patch Commit:a1e89afcc19efd641c02b24d66d689f181ae2b5c, PoC Code:ZeroPathAI/clawdbot-stealer-poc, Live PoC Demo:clawdbotstealer.s3-website-us-east-1.amazonaws.com, Reddit Discussion:r/Information_Security, MITRE ATT&CK:T1185 - Browser Session Hijacking, T1557 - Man-in-the-Middle

Rescana is here for you

At Rescana, we understand the critical importance of proactive third-party risk management in today’s rapidly evolving threat landscape. Our TPRM platform empowers organizations to continuously monitor, assess, and mitigate cyber risks across their entire vendor ecosystem. While this report focuses on the OpenClaw AI Assistant vulnerability, our platform is designed to help you identify and manage a wide range of emerging threats. If you have any questions about this advisory or require assistance with incident response, our cybersecurity experts are ready to help. Please contact us at ops@rescana.com.

Fact Check Summary

• Total claims verified: 18

• Verified claims: 14

• Unverified claims: 4

• Disputed claims: 0

• Verification confidence: MEDIUM

Notes: - No official CVE ID exists for this vulnerability as of this review. All CVE-related claims are [UNVERIFIED - source needed]. - All technical details, exploitation, patch, PoC, and affected version claims are [VERIFIED - Multiple Sources] based on reputable security news, vendor advisories, and the official OpenClaw repository. - MITRE ATT&CK technique mapping is accurate, but Gemini Fact Checker could not confirm direct mapping for this specific product. - No APT attribution is [VERIFIED - Multiple Sources], but the lack of a CVE and direct MITRE mapping reduces overall confidence to MEDIUM.