CyberSecurity News

OpenClaw Chain Flaws Expose 245 Vulnerabilities Public

A chain of four critical vulnerabilities has been discovered in OpenClaw, one of the fastest-growing open-source platforms for autonomous AI agents. These flaws expose an estimated 245,000 publicly...

Marcus Rodriguez
Marcus Rodriguez
May 15, 2026 3 Min Read
2 0

A chain of four critical vulnerabilities has been discovered in OpenClaw, one of the fastest-growing open-source platforms for autonomous AI agents. These flaws expose an estimated 245,000 publicly accessible server instances to remote exploitation, credential theft, and persistent backdoor installation.

Originally launched as “Clawdbot” in late 2025, OpenClaw connects large language models directly to filesystems, SaaS applications, credentials, and execution environments.

Enterprises have rapidly adopted it for IT automation, customer service pipelines, and operational integrations with platforms like Telegram, Discord, and Microsoft Agent 365. That broad, privileged access makes it an exceptionally high-value target.

Cyera’s research team identified the four previously undisclosed vulnerabilities and disclosed them to OpenClaw maintainers in April 2026. All four have since been patched.

Claw Chain OpenClaw Vulnerabilities

  • CVE-2026-44112 (CVSS 9.6 – Critical): A time-of-check/time-of-use (TOCTOU) race condition in the OpenShell sandbox allows attackers to redirect write operations outside the sandbox boundary, enabling configuration tampering and persistent backdoor placement on the host.
  • CVE-2026-44115 (CVSS 8.8 – High): A gap between OpenClaw’s command validation and shell execution allows environment variables — including API keys, tokens, and credentials — to leak through unquoted heredocs that appear safe at validation time.
  • CVE-2026-44118 (CVSS 7.8 – High): OpenClaw blindly trusts a client-controlled ownership flag (senderIsOwner) without cross-referencing the authenticated session, allowing a local process with a valid bearer token to escalate to owner-level control over gateway configuration, scheduling, and execution management.
  • CVE-2026-44113 (CVSS 7.7 – High): The same TOCTOU race condition pattern in read operations lets attackers swap validated file paths with symbolic links pointing outside the allowed mount root, exposing system files and internal artifacts the agent was never meant to access.

While each flaw carries its own weight, their combined effect, dubbed “Claw Chain” by Cyera, is far more alarming.

From a single foothold, such as a malicious plugin, prompt injection, or compromised external input, an attacker can chain three vulnerabilities in parallel:

  1. Foothold – Gain code execution inside the OpenShell sandbox via a malicious plugin or prompt injection
  2. Exfiltration – Use CVE-2026-44113 and CVE-2026-44115 to harvest credentials, secrets, and sensitive files
  3. Privilege Escalation – Exploit CVE-2026-44118 to elevate to owner-level control of the agent runtime
  4. Persistence – Deploy CVE-2026-44112 to plant backdoors and modify future agent behavior

What makes this chain especially dangerous is that the attacker weaponizes the AI agent’s own privileges. Each step mimics normal agent behavior, making detection significantly harder for traditional security controls.

Shodan and ZoomEye scans as of May 2026 reveal approximately 65,000 and 180,000 publicly accessible OpenClaw instances, respectively, totaling roughly 245,000 exposed servers.

Enterprises in financial services, healthcare, and legal sectors face the highest risk, particularly where agent workflows process PII, PHI, or privileged credentials.

Organizations running OpenClaw should treat this as a Priority 1 advisory:

  • Patch immediately by applying the April 23, 2026, fixes covering GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, and GHSA-x3h8-jrgh-p8jx.
  • Rotate all secrets — assume any environment variable or credential reachable by OpenClaw processes may already be compromised.
  • Identify exposed instances using Shodan scans or internal asset inventory and place them behind authentication or firewall controls.
  • Audit agent access and treat OpenClaw deployments as privileged identities subject to the same lifecycle controls as service accounts.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackCVEExploitPatchSecurity

Share Article

Marcus Rodriguez

Marcus Rodriguez

Marcus is a security researcher and investigative journalist with expertise in vulnerability research, bug bounties, and cloud security. Since 2017, Marcus has been breaking stories on critical vulnerabilities affecting major platforms. His investigative work has led to the disclosure of numerous security flaws and improved defenses across the industry. Marcus is an active participant in bug bounty programs and has been recognized for responsible disclosure practices. He holds multiple security certifications and regularly speaks at industry events.

No Comment! Be the first one.

Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts