Chainable Bugs Enable Credential Theft, Persistence, Takeover
In a striking revelation by researchers at Cyera, a series of vulnerabilities have been discovered in OpenClaw, an open-source platform designed for autonomous artificial intelligence (AI) agents. This series of interconnected exploits, referred to as "Claw Chain," poses substantial security threats, enabling hackers to progress from initial foothold access to full system control. The vulnerabilities can be leveraged to steal user credentials and implant backdoors while compromising system integrity. Fortunately, all four flaws have been patched, but they highlight significant issues within the security architecture of such platforms.
Among these vulnerabilities, the most critical flaw has been tracked as CVE-2026-44112, carrying a near-maximal Common Vulnerability Scoring System (CVSS) score of 9.6. This particular vulnerability exploits a timing gap within the platform’s sandboxed execution environment. Although the software includes checks for safety prior to executing commands, this flaw permits an attacker to manipulate the target in the brief interval between validation and execution. As a result, attackers can redirect write operations outside the bounds of the sandbox, tamper with system configurations, and establish persistent backdoors on the host machine.
The three remaining vulnerabilities serve as complementary exploits, effectively chaining together to enhance the attacker’s capabilities. For instance, CVE-2026-44115 takes advantage of a gap between OpenClaw’s command validation and its shell execution process, thereby exposing environment variables through seemingly safe commands. Another vulnerability, CVE-2026-44118, allows local processes equipped with valid authentication tokens to elevate themselves to owner-level control over the agent’s gateway configuration. This is due to OpenClaw’s failure to verify a client-controlled ownership flag against the authenticated session. Similarly, CVE-2026-44113 mirrors the first flaw, enabling an attacker to swap validated file paths with redirect pointers that lead outside of permitted directory boundaries, culminating in exposure to sensitive system files and internal credentials.
As Cyera emphasizes, the exploitation of these vulnerabilities allows adversaries to navigate through data access, privilege escalation, and establish persistence, effectively weaponizing the agents’ own privileges to conduct malicious operations. Each of these steps could be mistaken for normal agent behavior by traditional security controls, greatly complicating detection efforts.
Justin Fier, senior vice president of offensive security at Darktrace, articulated the severity of these vulnerabilities, describing the architecture of tools like OpenClaw as nearly ideal for undetected intrusion. Fier pointed out that the agent’s elevated access could let intruders operate within the same permissions and workflows that users have authorized, thus facilitating network-wide exploitation.
Data from scanning tools such as Shodan and ZoomEye has revealed alarming statistics: approximately 65,000 to 180,000 instances of OpenClaw exist online, with around 245,000 servers accessible via the internet. Many of these deployments, according to Cyera, lack essential security measures like authentication controls or network restrictions, creating a fertile ground for malevolent actors.
Launched under the name Clawdbot, OpenClaw was initially designed to streamline workflow automation, manage files, execute shell commands, and take autonomous actions. Rapid adoption of the platform led it to quickly become GitHub’s most-starred project, outpacing established libraries like React. This meteoric rise, however, has been shadowed by a wave of security concerns: over 500 GitHub Security Advisories have been logged against OpenClaw, relating to issues like command execution vulnerabilities, leaked API keys, and credentials susceptible to theft through indirect prompt manipulation, harmful skills, or unsecured endpoints.
Fier raises an additional concern, particularly regarding personal use of tools like OpenClaw. He emphasizes that reliance on such platforms can inadvertently pave the way for security vulnerabilities within corporate ecosystems. "For personal users, this is a privacy nightmare," Fier warns. "Many individuals may have granted these tools broad access to sensitive information, ranging from financial and health data to private files. The risk becomes significantly pronounced when these personal agents interact with work systems, credentials, or business devices, leading to a troubling question: Is the organization the ultimate target, or is the end user merely a means to infiltrate the organization?"
As these issues come to light, they’re a chilling reminder of the potential for widespread vulnerabilities in emerging technologies and the critical need for robust security measures. While OpenClaw has patched these vulnerabilities, the ongoing threat of exploitation underscores the importance of vigilance, especially in systems designed to operate autonomously. Cybersecurity practices must evolve alongside these technologies to mitigate risks effectively in the increasingly complex landscape of AI and machine learning.