OpenClaw 2026.3.11: WebSocket Security Fix
๐กPatches WebSocket vuln + adds Gemini multimodal memory for secure AI apps
โก 30-Second TL;DR
What Changed
Fixed cross-site WebSocket hijacking in trusted-proxy mode (GHSA-5wcw-8jjv-m286)
Why It Matters
Boosts security for production deployments and enhances developer productivity with better onboarding and memory tools, potentially accelerating AI app builds.
What To Do Next
Upgrade OpenClaw to 2026.3.11 and test Gemini multimodal memory indexing on your extraPaths.
๐ง Deep Insight
Web-grounded analysis with 9 cited sources.
๐ Enhanced Key Takeaways
- โขThe patched WebSocket hijacking vulnerability, dubbed ClawJacked, was disclosed by Oasis Security and allows any malicious website to brute-force the localhost gateway password due to absent rate-limiting for local connections[1][7][8].
- โขOpenClaw has a history of WebSocket-related flaws including CVE-2026-25253 (auth token theft via malicious gatewayUrl links leading to RCE, CVSS 8.8, fixed before 2026.1.29) and CVE-2026-28472 (skipping device identity checks in handshake, fixed before 2026.2.2)[2][3][6].
- โขAdditional recent patches addressed CVE-2026-25593 (OS command injection via unsanitized cliPath in config.apply, exploitable locally) and a log poisoning issue enabling prompt injection (fixed in 2026.2.13)[5][7].
๐ฎ Future ImplicationsAI analysis grounded in cited sources
โณ Timeline
๐ Sources (9)
Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.
- prnewswire.com โ Oasis Security Research Team Discovers Critical Vulnerability in Openclaw 302698939
- sonicwall.com โ Openclaw Auth Token Theft Leading to Rce Cve 2026 25253
- runzero.com โ Openclaw
- hackers-arise.com โ Cve 2026 25253 How Malicious Links Can Steal Authentication Tokens and Compromise Openclaw AI Systems
- sentinelone.com โ Cve 2026 25593
- nvd.nist.gov โ Cve 2026 28472
- thehackernews.com โ Clawjacked Flaw Lets Malicious Sites
- oasis.security โ Openclaw Vulnerability
- vulncheck.com โ Openclaw Missing Authentication in Browser Relay Cdp Websocket Endpoint
Weekly AI Recap
Read this week's curated digest of top AI events โ
๐Related Updates
AI-curated news aggregator. All content rights belong to original publishers.
Original source: OpenClaw (GitHub Releases) โ