OpenClaw Chain Vulnerabilities Expose 245,000 Public AI Agent Servers to Attack

A chain of four critical vulnerabilities discovered in OpenClaw, one of the fastest-growing open-source platforms for autonomous AI agents, has left an estimated 245,000 publicly accessible server instances exposed to remote exploitation, credential theft, and persistent backdoor installation.

Originally launched as “Clawdbot” in late 2025, OpenClaw connects large language models directly to filesystems, SaaS applications, credentials, and execution environments.

Enterprises have rapidly adopted it for IT automation, customer service pipelines, and operational integrations with platforms like Telegram, Discord, and Microsoft Agent 365. That broad, privileged access makes it an exceptionally high-value target.

Cyera’s research team identified the four previously undisclosed vulnerabilities and disclosed them to OpenClaw maintainers in April 2026. All four have since been patched.

Claw Chain OpenClaw Vulnerabilities

• CVE-2026-44112 (CVSS 9.6 – Critical): A time-of-check/time-of-use (TOCTOU) race condition in the OpenShell sandbox allows attackers to redirect write operations outside the sandbox boundary, enabling configuration tampering and persistent backdoor placement on the host.
• CVE-2026-44115 (CVSS 8.8 – High): A gap between OpenClaw’s command validation and shell execution allows environment variables — including API keys, tokens, and credentials — to leak through unquoted heredocs that appear safe at validation time.
• CVE-2026-44118 (CVSS 7.8 – High): OpenClaw blindly trusts a client-controlled ownership flag (senderIsOwner) without cross-referencing the authenticated session, allowing a local process with a valid bearer token to escalate to owner-level control over gateway configuration, scheduling, and execution management.
• CVE-2026-44113 (CVSS 7.7 – High): The same TOCTOU race condition pattern in read operations lets attackers swap validated file paths with symbolic links pointing outside the allowed mount root, exposing system files and internal artifacts the agent was never meant to access.

While each flaw carries its own weight, their combined effect, dubbed “Claw Chain” by Cyera, is far more alarming.

From a single foothold, such as a malicious plugin, prompt injection, or compromised external input, an attacker can chain three vulnerabilities in parallel:

1. Foothold – Gain code execution inside the OpenShell sandbox via a malicious plugin or prompt injection
2. Exfiltration – Use CVE-2026-44113 and CVE-2026-44115 to harvest credentials, secrets, and sensitive files
3. Privilege Escalation – Exploit CVE-2026-44118 to elevate to owner-level control of the agent runtime
4. Persistence – Deploy CVE-2026-44112 to plant backdoors and modify future agent behavior

What makes this chain especially dangerous is that the attacker weaponizes the AI agent’s own privileges. Each step mimics normal agent behavior, making detection significantly harder for traditional security controls.

Shodan and ZoomEye scans as of May 2026 reveal approximately 65,000 and 180,000 publicly accessible OpenClaw instances, respectively, totaling roughly 245,000 exposed servers.

Enterprises in financial services, healthcare, and legal sectors face the highest risk, particularly where agent workflows process PII, PHI, or privileged credentials.

Organizations running OpenClaw should treat this as a Priority 1 advisory:

• Patch immediately by applying the April 23, 2026, fixes covering GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, and GHSA-x3h8-jrgh-p8jx.
• Rotate all secrets — assume any environment variable or credential reachable by OpenClaw processes may already be compromised.
• Identify exposed instances using Shodan scans or internal asset inventory and place them behind authentication or firewall controls.
• Audit agent access and treat OpenClaw deployments as privileged identities subject to the same lifecycle controls as service accounts.