"By weaponizing the agent's own privileges, an adversary moves through data access, privilege escalation and persistence - using the agent as their hands inside the environment," Cyera said.
The Claw Chain: four linked CVEs that let attackers go from foothold to takeover
Researchers at Cyera described a sequence of four vulnerabilities in OpenClaw — together labeled "Claw Chain" — that could be chained to move an attacker from an initial foothold to persistent, system-level control. The four flaws affect all OpenClaw versions released before April 23 and have been patched, the company reported.
The most severe is CVE-2026-44112, which carries a near-maximum CVSS score of 9.6. The other three are CVE-2026-44115, CVE-2026-44118 and CVE-2026-44113. Cyera said that together these bugs enabled credential theft, persistence and full takeover by manipulating the platform’s validation and execution gaps.
How CVE-2026-44112 and its companions worked
CVE-2026-44112 exploited a timing gap in OpenClaw’s sandboxed execution: even when the software checked whether an action was safe, an attacker could manipulate the target between that safety check and the moment the action executed. That window permitted redirecting write operations outside the sandbox, tampering with system configuration and planting persistent backdoors on the host machine, Cyera reported.
The other flaws completed the chain. CVE-2026-44115 took advantage of a gap between OpenClaw's command validation and its shell execution to expose environment variables through commands that appeared safe at validation. CVE-2026-44118 allowed a locally running process with a valid authentication token to elevate itself to owner-level control over the agent's gateway configuration, scheduling and execution environment by trusting a client-controlled ownership flag without verifying it against the authenticated session. CVE-2026-44113 mirrored the first flaw on the read side: an attacker could swap a validated file path with a redirect pointer aimed outside the permitted directory boundary, exposing system files and internal credentials the agent was not intended to reach.
Scale and exposure: hundreds of thousands of reachable OpenClaw instances
Cyera’s scans of publicly accessible infrastructure using Shodan and ZoomEye as of May identified approximately 65,000 to 180,000 OpenClaw instances respectively — roughly 245,000 OpenClaw servers reachable from the public internet. Cyera warned that many of those deployments may lack authentication controls or network restrictions, increasing the risk that a chain like Claw Chain could be used at scale.
Justin Fier, senior vice president of offensive security at Darktrace, said the architecture of tools like OpenClaw makes them "an almost ideal vehicle for an attacker to move undetected." "In many ways, it is the perfect initial access point, and then the perfect tool to move throughout a network," Fier said. He added that if an attacker compromises an agent with that level of access, they may be able to operate through the same permissions and workflows the user has already granted.
OpenClaw’s trajectory and prior security signals
Originally launched as Clawdbot, OpenClaw allows users to automate workflows, manage files, execute shell commands and take autonomous actions. In three months after its launch it became GitHub's most-starred project, surpassing the React JavaScript library, the reporting noted.
The platform's rapid growth has been accompanied by frequent security disclosures: researchers have tracked more than 500 GitHub Security Advisories against the project, including issues tied to command execution, leaked plaintext API keys and credentials that threat actors can steal via indirect prompt manipulation, malicious skills or unsecured endpoints.
What this means for personal users, enterprises, and security teams
- Personal users: Justin Fier warned that "for personal users, this is a privacy nightmare." Many personal agents may have been granted broad access to financial data, health data, private files and other sensitive information, creating a rich target for credential theft and data exposure.
- Enterprises: Fier noted the enterprise risk arises when a personal agent touches work systems, work credentials or a business device. Cyera’s scans suggest hundreds of thousands of accessible instances that may lack basic access controls, raising the prospect that attackers could use compromised agents as a stepping-stone into corporate environments.
- Security teams: Cyera emphasized that each step of the Claw Chain “looks like normal agent behavior to traditional controls,” broadening blast radius and making detection significantly harder. Teams will need to account for validation/execution race conditions, ownership-flag trust issues and path-redirection on both read and write operations when assessing agent risk.
All four Claw Chain vulnerabilities have been patched. The factual record in this case now rests on two concurrent realities: a set of high-severity flaws that enabled escape, escalation and persistence, and a very large, publicly reachable deployment base that — if unpatched or poorly configured — could allow those flaws to be exploited widely. Whether patching keeps pace with exposure will determine whether these bugs remain a laboratory demonstration or become a prolific attack vector.
Read the original Cyera report and advisory: https://www.govinfosecurity.com/patched-openclaw-flaw-let-hackers-hijack-ai-agents-a-31720




