Cyera — Four Chainable OpenClaw CVEs Expose 180K+ AI Agent Servers

AI relevance: Autonomous AI agents are increasingly deployed with broad access to internal systems and credentials — Cyera's "Claw Chain" research shows how four chainable flaws in OpenClaw let an attacker use the agent itself to escalate from a sandbox foothold to full host control.

What happened

Cyera's research team disclosed four previously unknown vulnerabilities in OpenClaw, one of the most widely deployed open-source platforms for autonomous AI agents. All four were responsibly disclosed to maintainers in April 2026 and have since been patched.

• CVE-2026-44112 (CVSS 9.6 — Critical): TOCTOU filesystem write escape in the OpenShell sandbox. A race condition lets attackers redirect writes outside the sandbox boundary, enabling configuration tampering and persistent backdoor placement on the host.
• CVE-2026-44115 (CVSS 8.8 — High): Execution allowlist gap. Environment variables including API keys and credentials leak through unquoted heredocs that appear safe at validation time but expand at shell execution.
• CVE-2026-44118 (CVSS 7.8 — High): MCP loopback privilege escalation. OpenClaw trusts a client-controlled senderIsOwner flag without validating it against the authenticated session, letting a local process elevate to owner-level privileges and control gateway configuration, cron scheduling, and execution environments.
• CVE-2026-44113 (CVSS 7.7 — High): TOCTOU filesystem read escape. The same race-condition pattern in read operations lets attackers swap a validated file path with a symbolic link pointing outside the allowed mount root, exposing system files and credentials.

The attack chain

The individual vulnerabilities are serious, but the combined effect is the critical finding. From a single foothold — a malicious plugin, prompt injection, or compromised external input — an attacker can chain three of the flaws in parallel:

1. Foothold: Malicious code executes inside the OpenShell sandbox.
2. Data exfiltration: TOCTOU read escape (CVE-2026-44113) and env-var disclosure (CVE-2026-44115) expose credentials and sensitive files beyond the agent's intended scope.
3. Privilege escalation: MCP loopback flaw (CVE-2026-44118) elevates the process to owner-level control of the agent runtime.
4. Persistence: TOCTOU write escape (CVE-2026-44112) plants backdoors and alters agent behavior.

Why it matters

• Shodan and Zoomeye scans identified ~65K and ~180K publicly accessible OpenClaw servers respectively — ~245K total exposed instances as of May 2026.
• Each step in the chain looks like normal agent behavior to traditional controls, making detection significantly harder.
• OpenClaw agents typically operate with broad access to internal systems, SaaS data, and credentials — often with weaker governance than the systems they connect to.
• The senderIsOwner design flaw demonstrates a broader pattern: AI agent platforms that trust client-provided identity signals without server-side validation create trivial privilege escalation paths.

What to do

• Update OpenClaw to the latest patched version (post-April 23, 2026 patches).
• Audit publicly exposed instances and restrict network access to trusted ranges.
• Review agent permission scopes — apply the principle of least privilege to agent tool access.
• Monitor for anomalous agent behavior: unexpected file writes outside sandbox boundaries, environment variable access patterns, or unauthorized configuration changes.

Sources

• Cyera Research — "Claw Chain" blog post
• The Hacker News — Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence
• Cybersecurity News — OpenClaw Chain Vulnerabilities Expose 245,000 Public AI Agent Servers