OpenClaw 'Claw Chain' Flaws Let Attackers Steal Data and Plant Backdoors

Researchers at Cyera have disclosed four chainable vulnerabilities in OpenClaw, the popular AI agent orchestration platform, that allow attackers to steal credentials, escalate privileges, and maintain persistent access to compromised systems. Collectively dubbed "Claw Chain," the flaws affect an estimated 245,000 publicly accessible OpenClaw instances.

The vulnerabilities have been patched in versions released after April 23, 2026. Organizations running earlier versions should update immediately.

The Four Vulnerabilities

Cyera's research identified four distinct flaws that, when chained together, enable a complete compromise sequence from initial foothold to persistent backdoor.

CVE-2026-44112 (CVSS 9.6 Critical) - Filesystem Write Escape

A time-of-check to time-of-use (TOCTOU) race condition in OpenShell allows attackers to redirect file writes beyond sandbox boundaries. This enables backdoor placement and host configuration tampering.

CVE-2026-44113 (CVSS 7.7 High) - Filesystem Read Escape

A similar TOCTOU race condition in read operations lets attackers swap symbolic links to access files outside intended mount roots. Sensitive system files and credentials become readable.

CVE-2026-44115 (CVSS 8.8 High) - Environment Variable Disclosure

Gaps in command validation allow environment variables containing API keys and tokens to expand within unquoted heredocs. Credentials configured as environment variables get exposed during command execution.

CVE-2026-44118 (CVSS 7.8 High) - Privilege Escalation

An unvalidated client-controlled ownership flag enables bearer token holders to elevate privileges and gain control over gateway configuration and scheduling. Attackers can effectively become administrators.

Attack Chain in Practice

The vulnerabilities combine to create a complete attack path:

1. Initial Access: Malicious plugin, prompt injection, or compromised input gains sandbox code execution
2. Data Theft: CVE-2026-44113 and CVE-2026-44115 expose credentials and sensitive files
3. Privilege Escalation: CVE-2026-44118 elevates the compromised process to owner-level control
4. Persistence: CVE-2026-44112 plants backdoors and modifies configuration files

This mirrors attack patterns we've seen in other AI agent platforms. The Vidar infostealer campaign targeting OpenClaw earlier this year demonstrated real-world interest in stealing AI agent credentials and configurations.

Exposure Scale

Shodan and ZoomEye scans reveal the scope of the problem:

• 65,000 instances visible on Shodan
• 180,000 instances visible on ZoomEye
• ~245,000 total publicly accessible OpenClaw servers

Financial services, healthcare, and legal sectors face the highest risk, particularly where agent workflows process personally identifiable information, protected health information, or privileged credentials.

This isn't the first time OpenClaw has faced critical vulnerabilities. We've covered sandbox escape flaws and privilege escalation issues in recent months. The platform's rapid adoption has outpaced security hardening.

Immediate Actions

Organizations running OpenClaw should take these steps within 24 hours:

1. Apply patches covering GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, and GHSA-x3h8-jrgh-p8jx
2. Identify and secure all internet-facing OpenClaw instances with authentication or firewall rules
3. Rotate credentials for all API keys, tokens, and secrets reachable by OpenClaw processes

Hardening Recommendations

Beyond patching, Cyera recommends these longer-term measures:

• Map all data that agents can access and reduce scope aggressively
• Apply service account-level controls to limit agent permissions
• Audit installed plugins and restrict installation to approved sources
• Implement network segmentation with egress controls

The Claw Chain disclosure adds to growing evidence that AI agent platforms have inherited decades of security debt from traditional software. The same vulnerability classes that plagued web applications, container runtimes, and orchestration tools now appear in AI infrastructure.

For organizations evaluating AI agent deployments, the lesson is clear: treat these platforms with the same security rigor as any internet-facing service. The combination of high-value credentials and inadequate sandboxing makes them attractive targets for both opportunistic and targeted attacks.