OpenClaw’s Four‑Vulnerability Chain Exposes 245,000 AI Agent Servers to Attack

OpenClaw Overview

OpenClaw is an open‑source AI Agent runtime framework. Given a large language model (LLM), tools and permissions, an Agent can autonomously reply to customer messages, batch‑process files, operate databases and call third‑party APIs.

Agents run with extremely high permissions (file‑system read/write, SaaS access, API keys and database credentials) and weak supervision, meaning the AI itself decides which privileged actions to take.

Four Chainable Vulnerabilities (Claw Chain)

Cyera identified four CVEs (CVE‑2026‑44112 to CVE‑2026‑44113) with CVSS scores from 7.7 to 9.6. Individually each is dangerous; together they enable a multi‑stage attack.

CVE‑2026‑44112 – TOCTOU File‑System Write Escape (CVSS 9.6 Critical)

A race condition in the OpenShell sandbox allows an attacker to change the target path after the sandbox checks for out‑of‑bounds writes, causing data to be written outside the sandbox. This can be used to modify Agent configuration files and plant persistent backdoors.

CVE‑2026‑44115 – Execution Allowlist Environment Variable Leak (CVSS 8.8 High)

The command‑validation step checks a command against a whitelist, but environment variables passed via an unquoted heredoc are expanded only at execution time. An attacker can cause a whitelisted command to leak API keys, tokens and other credentials.

CVE‑2026‑44118 – MCP Loopback Privilege Escalation (CVSS 7.8 High)

OpenClaw trusts a client‑controlled "owner" flag (senderIsOwner) without cross‑checking it against an authenticated session. A process holding a valid bearer token can elevate itself to owner level, gaining full control over the Agent gateway, scheduling and execution environment.

CVE‑2026‑44113 – TOCTOU File‑System Read Escape (CVSS 7.7 High)

A similar TOCTOU race condition on read operations lets an attacker replace a validated path with a symbolic link to a system file after the check but before the read, allowing unauthorized file reads.

Combined Attack Chain

Entry point: malicious plugin / prompt injection / polluted external input
    ↓
Parallel theft path:
  CVE‑2026‑44113 → read system files / credentials via symlink
  CVE‑2026‑44115 → leak environment variables via heredoc
    ↓
Privilege‑escalation path:
  CVE‑2026‑44118 → become owner, control Agent
    ↓
Persistence path:
  CVE‑2026‑44112 → write backdoor, alter future Agent behavior

Each step appears as normal Agent activity, leaving no obvious trace in security logs.

Attack Entry Points

Malicious plugin : OpenClaw’s plugin system allows third‑party extensions. A crafted plugin installed in the sandbox gains code‑execution rights inside the Agent.

Prompt injection : An attacker embeds a specially crafted prompt in user input, API responses or documentation. A single malicious email was demonstrated to cause OpenClaw to exfiltrate a private SSH key without the owner’s knowledge.

Polluted supply‑chain input : OpenClaw connects to external data sources (databases, APIs, message queues, file stores). If any upstream source is compromised, malicious content flows into the Agent’s processing pipeline.

Why Detection Is Hard

Traditional security tools look for anomalous behavior (unexpected file accesses, suspicious network connections). The Claw Chain attack uses the Agent’s legitimate permissions and normal operation patterns, making it indistinguishable from benign activity in logs.

Exposure Landscape

Shodan and ZoomEye scans as of May 2026 discovered roughly 245 000 publicly exposed OpenClaw instances without authentication:

Shodan: ~65 000 instances

ZoomEye: ~180 000 instances

Total: ~245 000 instances

High‑risk sectors are financial services, healthcare and legal services, where Agents handle transaction data, PHI or confidential legal documents.

Patch Status

All four vulnerabilities were fixed on 2026‑04‑23 by the OpenClaw maintainers. Corresponding GitHub Security Advisories:

CVE‑2026‑44112 → GHSA‑5h3g‑6xhh‑rg6p (CVSS 9.6, sandbox write escape)

CVE‑2026‑44115 → GHSA‑wppj‑c6mr‑83jj (CVSS 8.8, environment‑variable leak)

CVE‑2026‑44118 → GHSA‑r6xh‑pqhr‑v4xh (CVSS 7.8, privilege escalation)

CVE‑2026‑44113 → GHSA‑x3h8‑jrgh‑p8jx (CVSS 7.7, sandbox read escape)

24‑Hour Emergency Action Checklist

Patch immediately. Upgrade to a version released on or after 2026‑04‑23.

Rotate all credentials. Regenerate API keys, OAuth tokens and database passwords assuming they may have been leaked.

Identify exposed instances. Use Shodan or internal asset inventories to locate public OpenClaw deployments and apply authentication or firewall protection.

Audit Agent access scope. Review data and actions each Agent can access; enforce least‑privilege defaults.

Long‑Term Hardening Recommendations

Treat Agents as privileged service accounts and apply the same lifecycle and access‑control policies.

Audit all plugins and supply‑chain inputs; restrict plugin installation to vetted code.

Network isolation: place OpenClaw deployments in dedicated subnets with strict egress controls.

Epilogue – AI Agent Security Maturity

From late 2025 to early 2026, the following statistics were observed:

~1 000 exposed OpenClaw instances discovered without authentication.

512 reported vulnerabilities, including 8 high‑severity CVEs.

36 % of plugins in the ClawHub marketplace contain security flaws.

23 vulnerabilities reported in a single day (19 Feb 2026).

The Ministry of Industry and Information Technology issued a special security alert.

These figures illustrate that AI Agent security models are still immature: developers prioritize functionality, enterprises prioritize efficiency, and traditional security tools focus on classic IT workloads, leaving autonomous AI agents largely unprotected.