Researchers at Cyera disclosed four chainable vulnerabilities in OpenClaw, collectively named Claw Chain, that could allow attackers to escape AI agent sandboxes, steal credentials, escalate privileges, and establish persistent access across enterprise environments.
The findings raise broader concerns about the security risks surrounding autonomous AI agent platforms.
“Each step looks like normal agent behavior to traditional controls, broadening blast radius and making detection significantly harder,” said the researchers.
Key Takeaways from the OpenClaw Findings
- Cyera disclosed four chainable OpenClaw vulnerabilities collectively named Claw Chain.
- The flaws could allow attackers to escape AI agent sandboxes, steal credentials, escalate privileges, and establish persistence.
- The most severe vulnerability, CVE-2026-44112, received a CVSS score of 9.6.
- Researchers also identified up to 180,000 internet-facing OpenClaw deployments exposed online.
- Cyera warned that attackers could abuse legitimate AI agent workflows to evade traditional security controls.
OpenClaw Claw Chain Vulnerabilities at a Glance
| CVE | Vulnerability Type | CVSS Score | Potential Impact |
| CVE-2026-44112 | TOCTOU filesystem write escape | 9.6 Critical | Sandbox escape, backdoor placement, persistent access |
| CVE-2026-44115 | Environment variable disclosure | 8.8 High | Exposure of API keys, tokens, and credentials |
| CVE-2026-44118 | MCP Loopback privilege escalation | 7.8 High | Owner-level access to runtime and configurations |
| CVE-2026-44113 | TOCTOU filesystem read escape | 7.7 High | Exposure of sensitive files and internal artifacts |
Inside the Claw Chain Vulnerabilities
OpenClaw is a widely used open-source platform that connects AI agents to filesystems, SaaS applications, credentials, and enterprise workflows.
The platform is commonly used for IT automation, operational integrations, and customer-service workflows tied to platforms such as Telegram, Discord, and Microsoft Agent 365.
While these integrations improve automation capabilities, they also create a larger attack surface if the platform is compromised.
According to Cyera, approximately 65,000 publicly accessible OpenClaw instances were identified through Shodan, while Zoomeye indexed roughly 180,000 internet-facing deployments as of May 2026.
Researchers warned that internet-facing OpenClaw environments without strong access controls or network segmentation may face elevated risk because AI agents often operate with broad privileges.
Successful exploitation could allow attackers to steal credentials, internal files, prompts, and sensitive enterprise data while disguising malicious activity as normal agent behavior.
CVE-2026-44112: TOCTOU Filesystem Write Escape
The most severe vulnerability identified by Cyera is CVE-2026-44112, a critical time-of-check/time-of-use (TOCTOU) filesystem write escape flaw affecting the OpenShell sandbox. The vulnerability received a CVSS score of 9.6.
Researchers found that attackers could exploit a race condition in the sandbox validation process to redirect file writes outside the intended sandbox boundary.
This allows malicious actors to tamper with configurations, plant backdoors, modify agent behavior, and potentially establish persistent control over the host environment.
Because OpenClaw agents can automatically write files and execute actions at runtime, the impact of the vulnerability may be amplified in highly automated enterprise environments.
CVE-2026-44113: TOCTOU Filesystem Read Escape
Cyera also identified CVE-2026-44113, a high-severity TOCTOU filesystem read escape vulnerability with a CVSS score of 7.7.
The flaw allows attackers to swap a validated file path with a symbolic link pointing outside the approved sandbox mount root after the validation process completes.
Successful exploitation could expose system files, credentials, internal documentation, source code, and other sensitive artifacts that the AI agent was never intended to access.
Researchers warned that this vulnerability could increase the risk of credential theft and sensitive data exposure inside enterprise environments running OpenClaw.
CVE-2026-44115: Execution Allowlist Environment Variable Disclosure
Another high-severity vulnerability, CVE-2026-44115, received a CVSS score of 8.8 and impacts OpenClaw’s command validation and shell execution processes.
Researchers discovered that gaps between execution allowlist validation and shell processing allow environment variables to be expanded inside unquoted heredocs during runtime.
This behavior could expose API keys, access tokens, credentials, and other secrets through commands that initially appear safe during validation.
Because OpenClaw environments often store authentication material and API credentials in environment variables, attackers could potentially extract sensitive secrets without triggering traditional security controls.
CVE-2026-44118: MCP Loopback Privilege Escalation
The fourth vulnerability, CVE-2026-44118, is a privilege escalation flaw with a CVSS score of 7.8 affecting OpenClaw’s MCP loopback functionality.
According to researchers, OpenClaw improperly trusts a client-controlled ownership flag called senderIsOwner without validating it against the authenticated session.
Attackers with access to a valid bearer token could exploit the flaw to elevate privileges to owner-level access.
Successful exploitation could provide attackers with control over gateway configuration, cron scheduling, execution environment management, and other privileged runtime operations tied to the AI agent infrastructure.
How the Claw Chain Attack Sequence Works
While each vulnerability presents meaningful risk individually, Cyera researchers emphasized that the real concern comes from chaining the flaws together into a coordinated attack sequence.
An attack could begin with a malicious plugin, prompt injection attack, or compromised external supply-chain input gaining code execution inside the OpenShell sandbox.
Attackers could then exploit CVE-2026-44113 and CVE-2026-44115 to extract credentials, secrets, and sensitive files beyond the agent’s intended scope.
Using CVE-2026-44118, attackers could escalate privileges to gain owner-level control over the OpenClaw runtime environment.
Finally, CVE-2026-44112 could be used to implant persistent backdoors, modify configurations, or alter future agent behavior to maintain long-term access.
Researchers warned that because the attack chain abuses legitimate AI agent workflows, malicious activity may appear as normal automation and evade traditional security tools.
Patches were released for all of the vulnerabilities and Cyera did not report any exploitation in the wild at the time of publication.
How Organizations Can Reduce AI Risk
Researchers recommend a layered security approach that includes limiting agent privileges, securing exposed environments, monitoring runtime activity, and reducing the impact of compromised credentials or plugins.
Organizations should also review how AI agents interact with sensitive systems and update incident response processes to account for AI-driven workflows.
- Apply the latest patches and identify any exposed internet-facing deployments.
- Restrict access to OpenClaw environments using authentication controls, MFA, firewall rules, and network segmentation.
- Rotate API keys, bearer tokens, and other credentials accessible to OpenClaw agents or connected workflows.
- Apply least-privilege access controls and use separate service accounts to limit agent access to sensitive systems and data.
- Audit plugins, prompts, SaaS integrations, and external supply-chain inputs connected to AI agent workflows.
- Monitor agent runtime activity for anomalous file access, privilege escalation, sandbox escape attempts, or suspicious outbound traffic.
- Test incident response plans with scenarios involving AI agents, credential theft, prompt injection, and autonomous system compromise.
These measures can help organizations improve resilience and reduce exposure across AI agent environments and connected enterprise systems.
AI Agents Expand Enterprise Risk
The Claw Chain vulnerabilities reflect broader security challenges emerging as organizations integrate autonomous AI agents into enterprise environments.
AI agents often operate with direct access to enterprise systems, APIs, credentials, and sensitive data while performing automated tasks that may appear legitimate to existing security controls.
Researchers noted that this level of access can create additional risk if vulnerabilities, compromised plugins, prompt injection attacks, or supply-chain issues allow attackers to abuse trusted agent workflows.
The findings also highlight the growing importance of AI governance, including stronger controls around agent permissions, runtime monitoring, third-party integrations, and identity management for agentic platforms.
