OpenClaw Chain Vulnerabilities Expose 245,000 Public AI Agent Servers to Attack

HomeCyber Security News OpenClaw Chain Vulnerabilities Expose 245,000 Public AI Agent Servers to Attack By Guru Baran May 15, 2026 A chain of four critical vulnerabilities discovered in OpenClaw, one of the fastest-growing open-source platforms for autonomous AI agents, has left an estimated 245,000 publicly accessible server instances exposed to remote exploitation, credential theft, and persistent backdoor installation. Originally launched as “Clawdbot” in late 2025, OpenClaw connects large language models directly to filesystems, SaaS applications, credentials, and execution environments. Enterprises have rapidly adopted it for IT automation, customer service pipelines, and operational integrations with platforms like Telegram, Discord, and Microsoft Agent 365. That broad, privileged access makes it an exceptionally high-value target. Cyera’s research team identified the four previously undisclosed vulnerabilities and disclosed them to OpenClaw maintainers in April 2026. All four have since been patched. Claw Chain OpenClaw Vulnerabilities CVE-2026-44112 (CVSS 9.6 – Critical): A time-of-check/time-of-use (TOCTOU) race condition in the OpenShell sandbox allows attackers to redirect write operations outside the sandbox boundary, enabling configuration tampering and persistent backdoor placement on the host. CVE-2026-44115 (CVSS 8.8 – High): A gap between OpenClaw’s command validation and shell execution allows environment variables — including API keys, tokens, and credentials — to leak through unquoted heredocs that appear safe at validation time. CVE-2026-44118 (CVSS 7.8 – High): OpenClaw blindly trusts a client-controlled ownership flag (senderIsOwner) without cross-referencing the authenticated session, allowing a local process with a valid bearer token to escalate to owner-level control over gateway configuration, scheduling, and execution management. CVE-2026-44113 (CVSS 7.7 – High): The same TOCTOU race condition pattern in read operations lets attackers swap validated file paths with symbolic links pointing outside the allowed mount root, exposing system files and internal artifacts the agent was never meant to access. While each flaw carries its own weight, their combined effect, dubbed “Claw Chain” by Cyera, is far more alarming. From a single foothold, such as a malicious plugin, prompt injection, or compromised external input, an attacker can chain three vulnerabilities in parallel: Foothold – Gain code execution inside the OpenShell sandbox via a malicious plugin or prompt injection Exfiltration – Use CVE-2026-44113 and CVE-2026-44115 to harvest credentials, secrets, and sensitive files Privilege Escalation – Exploit CVE-2026-44118 to elevate to owner-level control of the agent runtime Persistence – Deploy CVE-2026-44112 to plant backdoors and modify future agent behavior What makes this chain especially dangerous is that the attacker weaponizes the AI agent’s own privileges. Each step mimics normal agent behavior, making detection significantly harder for traditional security controls. Shodan and ZoomEye scans as of May 2026 reveal approximately 65,000 and 180,000 publicly accessible OpenClaw instances, respectively, totaling roughly 245,000 exposed servers. Enterprises in financial services, healthcare, and legal sectors face the highest risk, particularly where agent workflows process PII, PHI, or privileged credentials. Organizations running OpenClaw should treat this as a Priority 1 advisory: Patch immediately by applying the April 23, 2026, fixes covering GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, and GHSA-x3h8-jrgh-p8jx. Rotate all secrets — assume any environment variable or credential reachable by OpenClaw processes may already be compromised. Identify exposed instances using Shodan scans or internal asset inventory and place them behind authentication or firewall controls. Audit agent access and treat OpenClaw deployments as privileged identities subject to the same lifecycle controls as service accounts. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news vulnerability Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News How Top SOCs and MSSPs Prevent Phishing Incidents Missed by Email Filters  GhostLock Tool Leverages Windows API to Lock File Access Like Ransomware OpenAI Hit with Class-Action Privacy Lawsuit for Sharing ChatGPT Data with Google and Meta Škoda Security Incident Exposes Customers Data From Online Shop Popular Go Library fsnotify Raises Supply Chain Alarms After Maintainer Access Changes Latest News Cyber Security News Hackers Abuse OAuth Device Authorization Flow to Steal Microsoft 365 Tokens Cyber Security News Microsoft Edge, Windows 11 and LiteLLM Hacked in Pwn2Own Berlin 2026 Cyber Security News Hackers Use OrBit Rootkit to Harvest SSH and Sudo Credentials From Linux Systems Cyber Security News Microsoft Warns of Attackers Using Trusted HPE Operations Agent for Malware-Free Intrusions Cyber Security News Tycoon 2FA Operators Adopt OAuth Device Code Phishing to Bypass MFA