cyberivy
AI SecurityOpenClawClaw ChainCyeraCVEAI AgentsSandbox EscapeMCP2026

Claw Chain: Four linked OpenClaw flaws threaten 245,000 AI agent servers

May 16, 2026

Cyera researchers disclosed four chainable CVEs in OpenClaw on May 15, 2026. More than 245,000 publicly reachable agent servers were exposed; all flaws are now patched.

What this is about

On May 15, 2026, the research team at data security vendor Cyera disclosed four previously unknown vulnerabilities in OpenClaw, one of the fastest-spreading open-source platforms for autonomous AI agents. Chained together, the four CVEs form a complete attack path that Cyera calls Claw Chain. According to public exposure scanners, around 65,000 OpenClaw instances were reachable through Shodan and roughly 180,000 through ZoomEye at the time of disclosure.

What Claw Chain actually does

The four vulnerabilities are:

  • CVE-2026-44112 (CVSS 9.6 critical): A TOCTOU race condition in the OpenShell sandbox backend that allows writes outside the intended mount root.
  • CVE-2026-44113 (CVSS 7.7 high): The same race condition pattern in read operations, letting attackers swap a validated file path with a symbolic link after the check.
  • CVE-2026-44115 (CVSS high): Environment variable disclosure, because OpenClaw expands variables including API keys, tokens, and credentials inside unquoted heredocs.
  • CVE-2026-44118 (CVSS 7.8): A privilege escalation path where OpenClaw trusts a client-controlled ownership flag, letting loopback clients gain owner-level privileges.

Chained, the bugs let an attacker escape the sandbox, read and overwrite configuration files, plant persistent cron jobs, and pull API keys out of memory. Cyera writes that the issues were coordinated with OpenClaw maintainers in April 2026 and fully patched in version 2026.4.22.

Why it matters

OpenClaw is used in many pilot projects as the core of bespoke AI agents. An unpatched instance hands attackers the keys to the machine identity stack: agents often hold cloud tokens, database credentials, and MCP connector keys in cleartext. The Hacker News and Cybersecurity News place Claw Chain in a wider pattern of open-source agent framework incidents in spring 2026, including PraisonAI and Microsoft Semantic Kernel. The clustering shows that agent platforms with code execution, filesystem access, and MCP wiring need their own protection class, not just the classic web-application stack.

In plain language

Imagine an intern who carries the company keyring. So far, they have been locked in a room that only hands out the correct keys. Claw Chain is the trick where the intern swaps the labels on the keys just before the door check. They walk away with a key that looks like a front-door key but in reality opens the vault. That is exactly what happens inside OpenClaw: a file is validated and replaced with another one in the same breath, before the server uses it.

A practical example

A mid-sized insurer in Stuttgart runs an OpenClaw agent that classifies claim notices and files them into the internal document system. Through Claw Chain, an attacker could lift the agent container out of its sandbox, read the file holding the cloud API tokens, and plant a cron job that copies claim data to an external server every night. Network monitoring would see nothing strange, because the data flow appears to come from the legitimate agent. With an upgrade to OpenClaw 2026.4.22, a rotation of every service credential, and a review of cron entries, the attack path closes.

Scope and limits

  • Patches exist, but update discipline often does not. Many teams install AI agents for a demo and then quietly run them in production. Until the version is 2026.4.22 or newer, the risk remains.
  • Internet exposure is the main story. OpenClaw should not face the open internet without a VPN or zero-trust proxy. Most of the 245,000 hits are likely hobby projects or PoCs, but real production instances sit in there too.
  • Claw Chain is not an AI model attack. These are classic sandbox, race-condition, and privilege-escalation issues. Anyone who thinks prompt hardening alone is enough is missing the bigger part of the agent security debate.

SEO and GEO keywords

Claw Chain, OpenClaw, Cyera, CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, CVE-2026-44118, AI Agent Security, MCP, Sandbox Escape, AI security, Open Source AI Agents, May 2026

πŸ’‘ In plain English

On May 15, 2026, researchers disclosed four flaws in OpenClaw, a popular AI agent platform. Combined, they form a full attack chain. More than 245,000 servers were exposed online. A patch exists. Anyone running OpenClaw should update to version 2026.4.22 right away and rotate every API key.

Key Takeaways

  • β†’Cyera disclosed four chainable CVEs in OpenClaw on May 15, 2026, collectively named Claw Chain.
  • β†’CVE-2026-44112 carries CVSS 9.6 and allows a sandbox escape via a TOCTOU race condition.
  • β†’Around 65,000 OpenClaw instances were reachable through Shodan, about 180,000 through ZoomEye.
  • β†’The bugs enable sandbox escape, data theft, privilege escalation, and persistent backdoors.
  • β†’All four issues were reported in April 2026 and fixed in OpenClaw 2026.4.22.
  • β†’Claw Chain joins a wave of attacks on AI agent frameworks such as PraisonAI and Semantic Kernel.

FAQ

What is Claw Chain?

Claw Chain is the bundle of four vulnerabilities in OpenClaw that Cyera disclosed on May 15, 2026. Together they enable sandbox escape, privilege escalation, and data theft.

Which version fixes the flaws?

OpenClaw 2026.4.22 ships fixes for all four CVEs. Update immediately and rotate every service credential the agent uses.

Am I affected if OpenClaw runs internally only?

The risk drops, but it does not vanish. Internal or VPN-only OpenClaw deployments should still be patched, because insider abuse and compromised workstations can still exploit the chain.

Sources & Context

Auf Deutsch lesen β†’