---
id: "concept-cswsh-vulnerability"
type: "concept"
source_timestamps: ["00:15:48", "00:16:31"]
tags: ["cybersecurity", "vulnerabilities", "risk-management"]
related: ["concept-openclaw", "entity-mav-levin", "claim-security-is-primary-agent-bottleneck"]
definition: "A critical vulnerability where attackers hijack WebSocket connections to gain unauthorized remote code execution on local machines running autonomous AI agents."
sources: ["s16-openclaw-saga"]
sourceVaultSlug: "s16-openclaw-saga"
originDay: 16
---
# Cross-Site WebSocket Hijacking (CSWSH) in Agents

## Definition

A critical vulnerability where attackers hijack WebSocket connections to gain unauthorized remote code execution on local machines running autonomous AI agents.

## Prerequisite Knowledge

Understanding the exploit requires familiarity with [[prereq-websocket-security]] — specifically WebSocket Origin header validation per RFC 6455.

## The OpenClaw Disclosure

In late January 2026, [[entity-mav-levin]] of **Depth First** disclosed a high-severity Cross-Site WebSocket Hijacking flaw in [[concept-openclaw-d16]].

## Attack Chain

Because the OpenClaw server failed to validate the WebSocket origin header:

1. Victim is running OpenClaw locally (even bound to localhost only)
2. Victim clicks a crafted malicious link
3. Attacker's site opens a WebSocket to the victim's local OpenClaw gateway
4. Authentication token is extracted
5. Attacker connects to the gateway and **disables safety controls**
6. Attacker achieves **one-click Remote Code Execution (RCE)**
7. Arbitrary commands run on the victim's machine

## Blast Radius

- **21,000 instances** exposed on the internet
- **API keys and OAuth tokens** leaked
- **35,000 emails** accessible
- **1.5 million agent API tokens** compromised

Additional context: [[entity-snyk]] reported that **7% of the 4,000 skills** on ClawHub were mishandling secrets.

## Strategic Implication

CSWSH is the canonical example behind [[claim-security-is-primary-agent-bottleneck]] and the [[question-consumer-agent-security]] open question. Mitigation guidance: [[action-audit-agent-security]].

## Quote

See [[quote-shadow-dangerous]] for the maintainer's blunt take.

## Counter-Perspective

Enrichment notes that sandboxing approaches (WebAssembly, permission UIs, formal verification) and Anthropic's Computer Use sandbox suggest the problem is **hard but tractable**, not categorically unsolvable.