OpenClaw Beta Fixes WebSocket Hijacking
๐กCritical security patch + Ollama onboarding & Gemini multimodal memory in OpenClaw beta.
โก 30-Second TL;DR
What Changed
Gateway/WebSocket: Enforces origin validation to block cross-site hijacking (GHSA-5wcw-8jjv-m286).
Why It Matters
This beta release bolsters security for deployed OpenClaw gateways while streamlining developer workflows with better onboarding and multimodal capabilities, potentially reducing setup friction for AI applications.
What To Do Next
Upgrade your OpenClaw gateway to 2026.3.11-beta.1 immediately for WebSocket origin validation.
๐ง Deep Insight
Web-grounded analysis with 9 cited sources.
๐ Enhanced Key Takeaways
- โขThe patched vulnerability, codenamed ClawJacked (GHSA-5wcw-8jjv-m286), enabled attackers to brute-force gateway passwords from malicious websites via localhost WebSocket connections lacking rate-limiting.[1][7][8]
- โขOpenClaw faced multiple prior WebSocket flaws including CVE-2026-25253 (auth token theft via malicious gatewayUrl links, CVSS 8.8, fixed in 2026.1.29) and CVE-2026-28472 (skipping device identity checks, fixed in 2026.2.2).[2][3][6]
- โขAdditional patches addressed log poisoning (fixed in 2026.2.13) allowing prompt injection via WebSocket to port 18789, and 71 malicious ClawHub skills distributing malware and scams.[7]
๐ฎ Future ImplicationsAI analysis grounded in cited sources
โณ Timeline
๐ Sources (9)
Factual claims are grounded in the sources below. Forward-looking analysis is AI-generated interpretation.
- prnewswire.com โ Oasis Security Research Team Discovers Critical Vulnerability in Openclaw 302698939
- sonicwall.com โ Openclaw Auth Token Theft Leading to Rce Cve 2026 25253
- runzero.com โ Openclaw
- hackers-arise.com โ Cve 2026 25253 How Malicious Links Can Steal Authentication Tokens and Compromise Openclaw AI Systems
- sentinelone.com โ Cve 2026 25593
- nvd.nist.gov โ Cve 2026 28472
- thehackernews.com โ Clawjacked Flaw Lets Malicious Sites
- oasis.security โ Openclaw Vulnerability
- vulncheck.com โ Openclaw Missing Authentication in Browser Relay Cdp Websocket Endpoint
Weekly AI Recap
Read this week's curated digest of top AI events โ
๐Related Updates
AI-curated news aggregator. All content rights belong to original publishers.
Original source: OpenClaw (GitHub Releases) โ