OpenClaw Chain Vulnerabilities Expose Public AI Agent Servers to Attack

Security researchers have disclosed four chainable vulnerabilities in OpenClaw that can let attackers steal credentials, escape sandbox limits, escalate privileges, and plant persistent backdoors on affected AI agent servers.

Cyera named the combined attack path Claw Chain. The flaws affect OpenClaw versions before 2026.4.22, and patches were released after the issues were reported to the maintainers in April 2026.

The risk is high because OpenClaw agents often connect large language models to local files, execution tools, SaaS accounts, messaging platforms, and sensitive credentials. If attackers compromise the agent runtime, they may use the agent’s own permissions to reach data and systems that normal malware would struggle to access.

What Cyera found in OpenClaw

Cyera Research identified four vulnerabilities across OpenClaw’s sandbox, execution validation, filesystem access, and owner-context handling.

The most serious flaw, CVE-2026-44112, is a time-of-check/time-of-use race condition in OpenShell filesystem writes. It can let attackers redirect writes outside the intended sandbox mount root and modify files that should remain out of reach.

The other three flaws can expose files, leak secrets through command execution behavior, and let a local process escalate to owner-level control over parts of the agent runtime.

CVE	Issue	Reported severity	Main impact
CVE-2026-44112	OpenShell filesystem write race	Critical, 9.6 by Cyera	Sandbox escape, configuration tampering, backdoor placement
CVE-2026-44115	Exec allowlist heredoc expansion flaw	High	Unapproved command execution and secret exposure
CVE-2026-44118	MCP loopback owner context spoofing	High	Owner-level control over gateway and runtime functions
CVE-2026-44113	OpenShell filesystem read race	High by Cyera, Moderate in GitHub advisory data	Reading files outside the intended mount root

How the Claw Chain attack works

The attack does not depend on one single bug. It becomes more dangerous because an attacker can combine several weaker boundaries inside the AI agent environment.

A likely starting point could include a malicious plugin, prompt injection, compromised external input, or another path that gives code execution inside the OpenShell sandbox.

From there, attackers can use the read and execution flaws to harvest secrets, then use the owner-context bug to gain broader control, and finally use the write race condition to persist on the host.

1. Gain code execution inside the OpenShell sandbox through a malicious plugin or compromised input.
2. Use CVE-2026-44113 to read sensitive files outside the intended mount root.
3. Use CVE-2026-44115 to expose environment variables, API keys, and tokens.
4. Use CVE-2026-44118 to elevate to owner-level runtime control.
5. Use CVE-2026-44112 to modify configuration files or plant persistent backdoors.

Why AI agent servers create a larger blast radius

OpenClaw is designed to help AI agents take real actions. That can include reading files, running tools, scheduling tasks, connecting to chat platforms, and interacting with enterprise services.

Those capabilities make the platform useful, but they also make compromise more damaging. An attacker does not only target a web service. They target an agent that may already hold credentials, session tokens, prompts, outputs, configuration data, and access to connected systems.

This is why Claw Chain matters for enterprises using AI agents for IT automation, support workflows, developer tooling, customer operations, or SaaS integrations.

• AI agents may store or access API keys, bearer tokens, and service credentials.
• Agent prompts and outputs may include sensitive business data.
• Connected plugins can expand access into SaaS tools and internal systems.
• Automation privileges can make malicious actions look like normal agent behavior.
• Traditional security tools may struggle to separate trusted agent activity from abuse.

Public exposure increases the urgency

Cyera reported about 65,000 publicly accessible OpenClaw instances in Shodan and about 180,000 in ZoomEye as of May 2026.

Those figures should be treated as exposure indicators rather than a confirmed count of unique vulnerable servers. Internet scan engines can overlap, and exposed instances may vary by geography, timing, banner quality, and network visibility.

Even with that caution, the scale is significant. Any OpenClaw deployment exposed to the public internet without authentication or firewall controls should receive immediate attention.

Exposure source	Reported count	How to treat it
Shodan	About 65,000 public-facing instances	External exposure signal
ZoomEye	About 180,000 public-facing instances	External exposure signal
Combined figure	Up to 245,000 scan results	Not confirmed as unique servers

What attackers can steal or change

A successful chain can expose data from the agent runtime, host filesystem, and connected enterprise services.

The most immediate risk is credential theft. Environment variables, bearer tokens, API keys, configuration files, and internal runtime artifacts may all be reachable if an attacker gains enough control.

The persistence risk is also serious. With filesystem write escape, attackers may alter configuration or future agent behavior, turning a compromised agent into a long-term foothold.

• Environment variables containing API keys and tokens.
• Bearer credentials and session material.
• Internal configuration and runtime files.
• Files outside the intended sandbox mount root.
• Source code, documentation, and local artifacts.
• User prompts, outputs, and conversation history.
• Privileged scheduling and gateway operations.

Who faces the highest risk

Organizations using OpenClaw for production automation face the highest exposure. This includes IT support agents, customer service workflows, internal developer assistants, and operations bots connected to messaging platforms.

Regulated industries face additional risk because agent prompts and outputs may contain personal data, health data, financial information, client records, or legal material.

Public-facing deployments without strong authentication, network controls, logging, and secret separation should be treated as urgent remediation targets.

Environment	Risk level	Reason
Public OpenClaw instance without access controls	Very high	Attackers can reach the service directly
Enterprise agent connected to SaaS tools	High	Compromise may expose tokens and business data
Agent with filesystem and shell access	High	Sandbox escapes can reach local host resources
Development or test instance with real secrets	High	Lower-security environments often contain production credentials
Internal-only instance with strict segmentation	Lower	Exposure depends on internal access and agent permissions

Patches and advisories are available

OpenClaw patched the issues in version 2026.4.22. Administrators should update all deployments running 2026.4.21 or older.

The advisories tied to the patch set include GHSA-5h3g-6xhh-rg6p for the filesystem read race, GHSA-wppj-c6mr-83jj for the filesystem write race, GHSA-r6xh-pqhr-v4xh for the MCP owner-context issue, and GHSA-x3h8-jrgh-p8jx for the exec allowlist issue.

Teams should not stop at updating the package. If an exposed OpenClaw instance handled secrets before patching, those secrets may need rotation.

What administrators should do now

Organizations should first find every OpenClaw deployment. This includes cloud instances, developer workstations, lab servers, staging environments, production agents, and systems deployed by business units outside central IT.

Next, update to OpenClaw 2026.4.22 or later. After patching, review which credentials the agent could access and rotate sensitive tokens that may have been reachable.

Administrators should also place OpenClaw behind authentication, restrict public exposure, and reduce the agent’s permissions to the smallest set required for its workflow.

1. Inventory all OpenClaw instances across cloud, endpoints, labs, and production environments.
2. Update OpenClaw to version 2026.4.22 or later.
3. Identify internet-facing instances and move them behind authentication or firewall controls.
4. Rotate API keys, bearer tokens, SaaS credentials, and environment secrets reachable by OpenClaw.
5. Review installed plugins, external prompts, and third-party inputs feeding agent workflows.
6. Restrict who can install or update OpenClaw plugins.
7. Segment OpenClaw deployments from sensitive internal networks.
8. Limit outbound access to approved services and block unnecessary egress paths.
9. Apply service-account style lifecycle controls to AI agents.
10. Monitor for unexpected configuration changes, new scheduled tasks, and unusual file reads or writes.

Detection and response guidance

Security teams should review OpenClaw logs for unusual filesystem access, unexpected plugin execution, suspicious shell commands, and changes to gateway configuration.

They should also search for signs of secret access or exfiltration. That includes unexpected reads of environment files, credential stores, source directories, configuration folders, and prompt history.

If compromise is suspected, teams should isolate the instance, preserve logs, rotate secrets, review connected SaaS audit logs, and check whether the agent changed future workflows or scheduled tasks.

• Unexpected symlink activity inside OpenShell-controlled paths.
• Reads from files outside the intended sandbox root.
• Writes to configuration files or startup paths.
• Unusual heredoc commands or shell expansion behavior.
• Changes to owner-only settings from local loopback clients.
• New plugins, modified prompts, or altered scheduled workflows.
• Outbound traffic to unknown destinations after agent execution.
• Access to environment variables, tokens, or secret files outside normal workflows.

The broader AI agent security lesson

Claw Chain shows why AI agent platforms need stricter controls than ordinary web apps. An agent can read, act, schedule, execute, and connect across multiple systems by design.

That makes agent compromise more similar to service-account compromise than a single application bug. The attacker may inherit the agent’s identity, tools, memory, and connected permissions.

Enterprises should treat AI agents as privileged identities. That means clear ownership, least privilege, strong authentication, network segmentation, plugin review, audit logging, secret rotation, and rapid patching when advisories appear.

FAQ