What Just Happened: OpenClaw Patches Critical WebSocket Hijacking Vulnerability
OpenClaw maintainers released versions 2026.3.11 and 2026.3.11-beta.1 on March 11, 2026, patching a critical cross-site WebSocket hijacking vulnerability in the Gateway component. The flaw, tracked as GHSA-5wcw-8jjv-m286, existed specifically in trusted-proxy mode and allowed attackers to bypass origin validation when proxy headers were absent from requests. This oversight could grant untrusted origins operator.admin access, effectively handing remote attackers the keys to your AI agents. The vulnerability affects all deployments running Gateway versions 2026.3.10 and earlier with browser-facing WebSocket endpoints enabled. The fix enforces strict browser origin validation regardless of proxy header presence, closing the hijacking path that previously allowed malicious websites to execute privileged operations. If you operate an OpenClaw instance with Gateway enabled and have not updated to 2026.3.11, consider your deployment actively vulnerable to remote compromise through crafted web pages that trick authenticated users into establishing rogue WebSocket connections. This critical vulnerability underscores the importance of prompt security updates in AI agent frameworks.
Understanding Cross-Site WebSocket Hijacking (CSWSH)
Cross-site WebSocket hijacking exploits a fundamental behavior of web browsers: they automatically attach cookies and authentication tokens when establishing WebSocket connections, just like with HTTP requests. Unlike standard HTTP, however, WebSocket handshakes historically lacked robust same-origin policy enforcement, creating a blind spot in web application security. In OpenClaw’s case, the Gateway’s WebSocket handler made a dangerous assumption that connections without proxy headers originated from non-browser clients, allowing it to skip origin validation checks. This meant a malicious actor could host a website that, when visited by an authenticated OpenClaw user, would open a WebSocket connection to the victim’s local or remote instance. Once established, the attacker could send arbitrary JSON-RPC commands through the agent protocol with the same privileges as the legitimate user. The attack requires the victim to possess an active session, but grants persistent access until the connection terminates, effectively converting the browser into a proxy for unauthorized agent manipulation and data exfiltration.
The trusted-proxy Mode Attack Vector
The vulnerability specifically targeted OpenClaw’s trusted-proxy configuration mode, a common setup when running behind reverse proxies such as Nginx, Traefik, or Cloudflare. In this mode, the Gateway typically examines X-Forwarded-For, X-Forwarded-Proto, and similar headers to determine the original client information rather than the proxy’s details. The critical bug emerged when these headers were missing from requests: the code path incorrectly assumed that direct browser connections were impossible without proxy headers, so it skipped origin validation entirely. Attackers could exploit this logic error by connecting directly to the Gateway while omitting or stripping proxy headers, causing the server to classify the connection as internal or trusted. This created a bypass where same-origin policy enforcement became conditional on header presence rather than actual connection origin. The security principle violated here is fundamental: authentication and authorization checks must never depend on client-supplied metadata that can be manipulated, omitted, or forged through direct connections, especially when dealing with advanced AI systems.
How GHSA-5wcw-8jjv-m286 Could Grant operator.admin Access
The critical impact of this vulnerability lies in its ability to escalate privileges to operator.admin, the highest permission level within OpenClaw’s role-based access control system. Once an attacker established a hijacked WebSocket connection through the origin validation bypass, they gained the ability to invoke administrative methods exposed via the Gateway’s JSON-RPC interface. These methods include agent configuration modifications, unauthorized skill installations, file system operations, and memory store access. The operator.admin scope permits modification of agent behavior parameters, access to sensitive memory embeddings, and execution of arbitrary system commands depending on your installed skill configuration. Because WebSocket connections maintain persistent bidirectional state, attackers did not need to repeatedly exploit the vulnerability; a single successful hijacking provided ongoing administrative access until the connection timed out or the server process restarted. This persistence made the flaw particularly dangerous for production deployments running 24/7 autonomous agents with long-running sessions and elevated system privileges.
Immediate Upgrade Required: Version 2026.3.11 Details
OpenClaw 2026.3.11 is a mandatory security update available immediately through standard package managers, GitHub releases, and container registries. The patch modifies the WebSocket upgrade handler in the Gateway component to validate the Origin header for every browser-originated connection, regardless of whether proxy headers are present in the request. This update maintains backward compatibility for legitimate non-browser clients by checking User-Agent strings and connection metadata patterns, but refuses WebSocket upgrades from any browser presenting invalid, missing, or mismatched origins. Both the stable channel (2026.3.11) and beta channel (2026.3.11-beta.1) received the fix simultaneously to ensure all users have access to the patch. Updated Docker images are available on Docker Hub with refreshed tags, and Homebrew formulas have been updated to reflect the new version. Do not delay this upgrade; the vulnerability is remotely exploitable without authentication in many configurations, and proof-of-concept exploitation code typically surfaces within days of such disclosures.
The Technical Fix: Origin Validation Enforcement
The patch implements strict origin validation by requiring the Origin header to match a configurable allowlist before completing any WebSocket handshake from browser clients. Previously, the code only performed this validation when X-Forwarded-For or similar headers indicated a proxied connection, creating the bypass condition. The fix adds an unconditional validation path: if connection characteristics indicate a browser origin (based on handshake headers and TLS fingerprints), the Gateway must verify the origin against the gateway.allowed_origins configuration list. The change affects approximately 40 lines in the Gateway’s connection upgrade handler, specifically in the origin checking middleware. For deployments using trusted-proxy mode, administrators should verify their allowed_origins list includes all legitimate domains, including localhost variations for development environments. The fix also introduces structured logging for rejected connections, logging the attempted origin and IP address to assist in identifying active exploitation attempts against your infrastructure.
Am I Vulnerable? Checking Your OpenClaw Deployment
To determine if your deployment is vulnerable, examine three specific configuration parameters in your OpenClaw installation. First, verify if Gateway is enabled by checking for gateway.enabled: true in your config.yaml or environment variables. Second, confirm if you are running trusted-proxy mode by looking for gateway.trusted_proxy: true in your configuration. Third, identify your current version by running openclaw --version or checking your container image tags via docker images. If you are running version 2026.3.10 or earlier with Gateway enabled and trusted-proxy mode active, your deployment is vulnerable. Direct browser exposure without a reverse proxy also presents risk if explicit origin validation was not previously configured. You can test your instance using the command below to simulate a malicious origin connection.
curl -i -N -H "Connection: Upgrade" -H "Upgrade: websocket" -H "Origin: https://evil.com" http://your-openclaw:8080/wsIf you receive a 101 Switching Protocols response instead of 403 Forbidden, you are vulnerable and must patch immediately. This indicates the server accepted a WebSocket upgrade from an unauthorized origin.
Upgrading from 2026.3.10 and Earlier: Step-by-Step
Upgrade immediately using your specific deployment method to close the vulnerability. For Docker Compose deployments, execute docker pull openclaw/openclaw:2026.3.11 followed by docker-compose up -d to restart services with the new image. For Homebrew users on macOS or Linux, run brew update && brew upgrade openclaw to fetch the latest formula. For binary installations, download the appropriate release asset from GitHub, verify the SHA256 checksum matches the published signatures in the release notes, and replace your existing binary in /usr/local/bin or your installation directory. After upgrading, restart your Gateway service and verify the version in your application logs: you should observe OpenClaw Gateway v2026.3.11 starting. Test that legitimate browser connections still function by accessing your Web UI from authorized domains. Check logs for origin_validation_failed entries to confirm the fix is actively blocking unauthorized origins. While rollback is not recommended due to the severity, maintain backups of your 2026.3.10 configuration for 24 hours in case of unexpected compatibility issues with the new validation logic.
OpenRouter Hunter Alpha and Healer Alpha Model Support
Beyond the critical security fix, OpenClaw 2026.3.11 introduces temporary support for OpenRouter’s Hunter Alpha and Healer Alpha models in the built-in model catalog. These specialized stealth models are available for approximately one week as a free preview, offering capabilities tuned for offensive security research and defensive analysis respectively. Hunter Alpha specializes in penetration testing methodologies and vulnerability discovery, while Healer Alpha focuses on security hardening recommendations and incident response. The update adds entries to models/catalog.json with proper routing configuration for OpenRouter’s API endpoints and context window specifications. To utilize these models, configure your OpenRouter API key in providers.openrouter.api_key and select the models from the agent configuration interface or via the CLI. Note that these are experimental models with limited availability windows, suitable for security research and testing but not appropriate for production dependencies. The integration demonstrates OpenClaw’s rapid response to emerging model providers, automatically handling token limits, pricing metadata, and rate limiting through the existing OpenRouter adapter infrastructure, showcasing the platform’s adaptability.
iOS Home Canvas and macOS Chat UI Refresh
Mobile and desktop users receive significant interface improvements in this release that address previous usability friction points. The iOS Home canvas now features a bundled welcome screen displaying live agent status, connection health, and recent activity that refreshes automatically on initial connect, reconnect events, and app foreground return. The compact connection status pill has moved from the intrusive top-left overlay to a more subtle position in the status bar. Floating controls are replaced with a docked toolbar that remains accessible during scrolling, and the home scaffold now adapts dynamically to smaller iPhone models including the SE and Mini variants. Chat sessions now open in the resolved main session rather than a synthetic ios session, maintaining conversation continuity across device switches. macOS users gain a native chat model picker in the UI toolbar, persistent thinking-level selections across app relaunches, and hardened provider-aware session model synchronization that prevents model desync issues. These changes resolve previous UX issues where iOS users lost conversational context when backgrounding the app and macOS users had to reconfigure reasoning preferences after every restart, significantly enhancing the user experience.
First-Class Ollama Setup and OpenCode Go Provider
Developer onboarding sees major improvements with dedicated Ollama configuration flows and expanded OpenCode support for alternative AI coding assistants. The new Ollama setup wizard offers Local-only or Cloud + Local hybrid deployment modes, browser-based cloud sign-in for remote Ollama instances, and curated model suggestions based on detected hardware capabilities including GPU memory and CPU cores. Cloud-model handling now skips unnecessary local model pulls when using remote Ollama instances, saving significant bandwidth and disk space for developers with limited local resources. For OpenCode integration, the release adds a new Go provider while treating Zen and Go variants as unified setup experiences in the configuration wizard. The system stores one shared OpenCode API key for both runtime profiles while maintaining separate execution contexts, and stops overriding the built-in opencode-go catalog routing that caused conflicts in previous versions. These changes reduce configuration friction for developers working with local LLMs or GitHub Copilot alternatives, cutting initial setup time from approximately 15 minutes of manual configuration to under 3 minutes through the guided wizard interface.
Multimodal Memory Indexing with Gemini Embeddings
Memory capabilities expand significantly with opt-in multimodal indexing support using Google’s gemini-embedding-2-preview model for non-text content. The memorySearch.extraPaths configuration now accepts image file paths, audio recordings, and video metadata, generating vector embeddings for multimodal content with strict fallback gating mechanisms. If the Gemini embedding API fails, returns low-confidence vectors, or encounters unsupported file formats, the system falls back to text-only indexing or metadata extraction rather than failing silently or corrupting the memory index. Scope-based reindexing allows targeted updates to specific memory collections without requiring full rebuilds of the entire vector database. To enable this feature, set memory.multimodal.enabled: true in your configuration and provide your Gemini API key in the appropriate provider section. This capability enables agents to search through screenshots, diagrams, UI mockups, and voice memos using natural language queries, though it increases token consumption significantly during indexing operations. The implementation includes built-in rate limiting, batch processing queues, and automatic retry logic to prevent API quota exhaustion during large-scale reindexing operations of existing memory stores.
Security Response Analysis: Speed and Transparency
OpenClaw’s handling of GHSA-5wcw-8jjv-m286 demonstrates mature security practices expected of infrastructure-critical open source projects. The vulnerability was initially reported through GitHub’s private advisory system, patched within 72 hours of the initial report confirmation, and released simultaneously across stable and beta channels with detailed technical descriptions. The maintainers provided specific configuration checks and testing commands rather than vague “update immediately” warnings, allowing administrators to accurately assess their individual risk exposure. The security advisory includes example log entries and network signatures showing exploitation attempts, enabling detection through standard logging tools without requiring specialized security appliances. This level of transparency contrasts sharply with proprietary agent frameworks that often delay disclosure for weeks or omit technical details that would help defenders identify compromise. The rapid release cycle, while potentially disruptive for enterprise change management processes, reflects the reality that AI agent frameworks with administrative system access require security response velocities matching their extensive privilege levels and attack surface exposure.
Hardening Your Gateway Beyond the Patch
Updating to OpenClaw 2026.3.11 is necessary but not sufficient for production-grade security. Configure gateway.allowed_origins explicitly to specific domains rather than using wildcard entries or overly permissive patterns that would allow arbitrary origins. Enable gateway.logging.level: debug temporarily for 48 hours after patching to audit connection origins and identify any unexpected traffic patterns or legacy clients. If running behind a reverse proxy such as Nginx or Apache, ensure your proxy strips incoming Origin headers from untrusted sources and replaces them with validated values to prevent header spoofing attacks. Consider implementing network-level segmentation by placing the Gateway in a DMZ with restricted access to internal agent services and memory stores. Use mutual TLS (mTLS) for service-to-service communication within your OpenClaw cluster, ensuring that even if the Gateway is compromised, lateral movement to other infrastructure requires certificate-based authentication. Enable the new gateway.rate_limiting features introduced in 2026.3.11 to prevent brute-force WebSocket connection attempts and slow down reconnaissance activities by potential attackers.
WebSocket Security Best Practices for AI Agent Frameworks
This vulnerability highlights broader lessons for developers building and deploying AI agent frameworks with browser-based interfaces. Never trust client-supplied headers such as X-Forwarded-For for security decisions; validate origins cryptographically using TLS certificate information or pre-shared keys where possible. Implement strict Content Security Policies on web interfaces to prevent malicious scripts from initiating WebSocket connections to internal endpoints or exfiltrating data. Use short-lived authentication tokens for WebSocket connections rather than long-lived cookies, reducing the window for session hijacking if tokens are compromised. Consider implementing WebSocket subprotocols with additional authentication layers beyond the initial handshake, requiring message-level signatures for sensitive operations. Regularly audit your Access-Control-Allow-Origin configurations; permissive CORS settings combined with WebSocket endpoints create compound vulnerabilities that attackers can chain together. For OpenClaw specifically, review your skill permissions using the principle of least privilege; even with this patch, compromised credentials or future vulnerabilities would have limited impact if skills cannot access sensitive system resources or execute arbitrary commands without explicit authorization.
Comparison of WebSocket Security Measures
To further illustrate the importance of robust WebSocket security, let’s compare different approaches and their effectiveness, especially in an AI agent context.
| Security Measure | Description | Effectiveness Against CSWSH (GHSA-5wcw-8jjv-m286) | General Security Benefit | Drawbacks / Considerations |
|---|---|---|---|---|
| OpenClaw 2026.3.11 | The latest patched version of OpenClaw, which includes the critical fix for GHSA-5wcw-8jjv-m286. It enforces strict origin validation regardless of proxy headers. | Fully Mitigated | Prevents cross-site WebSocket hijacking, protecting operator.admin access and sensitive data. Ensures platform integrity. | Requires immediate upgrade. May necessitate updating gateway.allowed_origins configuration if not previously precisely defined. |
| OpenClaw 2026.3.10 (Vulnerable) | OpenClaw Gateway version prior to the patch, specifically in trusted-proxy mode without explicit origin enforcement. | Highly Vulnerable | Standard AI agent functionality. | Susceptible to remote attack, full compromise of agent environment. No longer recommended for deployment. |
| Reverse Proxy (No OpenClaw Patch) | Placing a reverse proxy in front of OpenClaw that strips Origin headers or only permits specific origins. | Partially Mitigated | Adds a layer of security, useful for other attacks. Centralizes traffic management. | If not configured perfectly, bypasses can arise (e.g., specific HTTP methods or paths). Requires careful management of proxy rules. Still vulnerable if proxy misconfigured or bypassed. |
| Temporary Measures (Pre-patch) | Disable the OpenClaw Gateway or restrict network access to it. | Limited Mitigation | Minimizes exposure to the vulnerability by removing the attack surface. | Disrupts legitimate browser-based operations and remote management. Not a long-term solution. Risk of misconfiguration leading to continued vulnerability. |