OpenClaw maintainers patched four critical vulnerabilities on April 23, 2026, after coordinated disclosure from Cyera Research. On May 15, Cyera published the full technical analysis of what they call “Claw Chain”: an attack sequence that weaponizes an AI agent’s own privileges to move from a single foothold to full host compromise. The issues are fixed. The architectural pattern they expose is not unique to OpenClaw.
The Four CVEs
The chain comprises four flaws spanning sandbox isolation, identity validation, and execution boundaries:
CVE-2026-44112 (CVSS 9.6, Critical): A time-of-check/time-of-use race condition in OpenClaw’s OpenShell sandbox allows write operations to escape the sandbox boundary. Attackers can tamper with configuration and plant persistent backdoors on the host.
CVE-2026-44115 (CVSS 8.8, High): A gap between command validation and shell execution leaks environment variables through unquoted heredocs. API keys, tokens, and credentials that appear safe at validation time get expanded during execution.
CVE-2026-44118 (CVSS 7.8, High): OpenClaw trusts a client-controlled senderIsOwner flag without cross-referencing the authenticated session. A local process with a valid bearer token can escalate to owner-level control over gateway configuration, scheduling, and execution management.
CVE-2026-44113 (CVSS 7.7, High): The same TOCTOU race pattern in read operations lets attackers swap validated file paths with symbolic links pointing outside the allowed mount root, exposing system files and internal artifacts.
How the Chain Works
According to Cyera’s disclosure, a single entry point (malicious plugin, prompt injection, or compromised external input) enables three parallel exploitation paths:
- Foothold: Code execution inside the OpenShell sandbox via a malicious plugin or prompt injection.
- Exfiltration: CVE-2026-44113 and CVE-2026-44115 harvest credentials, secrets, and sensitive files beyond the agent’s intended scope.
- Privilege Escalation: CVE-2026-44118 elevates the compromised process to owner-level control of the agent runtime.
- Persistence: CVE-2026-44112 plants backdoors and modifies future agent behavior.
Each step mimics normal agent behavior to traditional monitoring tools. As Cybersecurity News reported, the attacker “weaponizes the AI agent’s own privileges,” making detection significantly harder than conventional exploitation chains.
Exposure Surface
Shodan and ZoomEye scans as of May 2026 show approximately 65,000 and 180,000 publicly accessible OpenClaw instances respectively, totaling roughly 245,000 exposed servers. Cyera identifies enterprises in financial services, healthcare, and legal sectors as highest-risk, particularly where agent workflows process PII, PHI, or privileged credentials.
Remediation
All four vulnerabilities are addressed in patches released April 23, 2026, covering GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, and GHSA-x3h8-jrgh-p8jx. Organizations running OpenClaw should:
- Update to the latest release immediately.
- Rotate all secrets accessible to OpenClaw processes, assuming potential compromise.
- Place exposed instances behind authentication or firewall controls.
- Treat OpenClaw deployments as privileged identities subject to the same lifecycle controls as service accounts.
The Pattern That Matters
Cyera’s research frames the broader concern directly: “AI agents have become a primary execution surface, and the security model around them has not caught up.” The Claw Chain technique applies conceptually to any agent platform that combines broad system access, plugin extensibility, and sandbox isolation in a single runtime. Teams building autonomous agent deployments should audit for TOCTOU conditions at sandbox boundaries, validate identity claims server-side rather than trusting client flags, and treat environment variable exposure as a first-class threat in agent execution contexts.