Claw Chain: Four Chained CVEs Turn 245,000 OpenClaw Agents Into Backdoors (May 2026)

On May 15, 2026, Cyera's research team published "Claw Chain," a disclosure detailing four chainable vulnerabilities in OpenClaw, one of the fastest-growing open-source platforms for running autonomous AI agents. Individually the four flaws score between CVSS 7.7 and 9.6. Chained, they walk an attacker from an initial foothold inside the agent's sandbox all the way to credential theft, owner-level privilege escalation, and a persistent backdoor that survives restarts. Every step in the chain looks like ordinary agent activity, which is precisely what makes it dangerous.

OpenClaw, originally launched as "Clawdbot" in late 2025, wires large language models directly to filesystems, SaaS applications, stored credentials, and shell execution environments. It is deployed for IT automation, customer service, and operational integrations with Telegram, Discord, and Microsoft Agent 365. That positioning — an agent runtime that holds the keys to everything around it — is exactly the property that turns a sandbox-escape bug into a full-environment compromise. Cyera disclosed the findings to OpenClaw maintainers in April 2026, and all four were patched in version 2026.4.22 (released April 23, 2026) before public disclosure.

The exposure is not theoretical. As of May 2026, Shodan and ZoomEye scans counted roughly 65,000 and 180,000 publicly accessible OpenClaw instances respectively — on the order of 245,000 servers reachable over the internet, many of them in financial services, healthcare, and legal environments handling PII, PHI, and privileged credentials. This post walks the chain, the telemetry that would catch it, and the structural reason agent runtimes keep shipping this class of bug.

TL;DR

• Cyera disclosed four chainable OpenClaw vulnerabilities ("Claw Chain") on May 15, 2026: CVE-2026-44112 (CVSS 9.6), CVE-2026-44115 (8.8), CVE-2026-44118 (7.8), and CVE-2026-44113 (7.7).
• Chained, they take an attacker from a sandbox foothold to credential exfiltration, privilege escalation, and a persistent backdoor — the classic foothold-to-persistence kill chain, executed entirely as "normal" agent behavior.
• The root flaws are two TOCTOU race conditions in the OpenShell sandbox (read and write escapes), an unquoted-heredoc credential leak, and a client-controlled senderIsOwner flag that is trusted without session validation.
• Patched in OpenClaw 2026.4.22 (April 23, 2026). All earlier versions are affected.
• Roughly 245,000 instances are exposed to the internet as of May 2026; high concentration in finance, healthcare, and legal.
• Monday-morning actions: upgrade to 2026.4.22 or later, rotate every secret the agent could read, take exposed instances off the public internet, and treat the agent's identity as a privileged account.

What happened

Cyera's research team identified four previously undisclosed vulnerabilities in OpenClaw and reported them to the maintainers in April 2026. The maintainers shipped fixes in version 2026.4.22 on April 23, 2026. Cyera published the full technical writeup on May 15, 2026, after patches were available, and security press (The Hacker News, eSecurity Planet, The Next Web) picked it up the same week.

The four CVEs are:

| CVE | CVSS | Class | Mechanic | |-----|------|-------|----------| | CVE-2026-44112 | 9.6 Critical | TOCTOU write escape | Race between path validation and write in the OpenShell sandbox lets writes land outside the intended mount root | | CVE-2026-44115 | 8.8 High | Credential leak | Environment variables expand inside unquoted heredocs, returning API keys and tokens through commands that look safe at validation time | | CVE-2026-44118 | 7.8 High | Privilege escalation | Client-controlled senderIsOwner flag is trusted without validating it against an authenticated session | | CVE-2026-44113 | 7.7 High | TOCTOU read escape | Race in read operations allows symbolic-link swapping to expose files outside the mount root |

None of these is a memory-corruption bug or a missing-patch CVE. They are logic flaws in how an agent runtime validates filesystem operations, expands shell commands, and decides who counts as the owner. That matters for detection: there is no crash, no segfault, no anomalous binary. Everything happens inside the agent's own legitimate execution surface.

How the attack chain works

Cyera describes a four-stage progression. The important property is that each stage reuses a capability the agent already has, so the chain reads like a normal automation run.

Stage 1 — Foothold. The attacker gets code execution inside the OpenShell sandbox. The realistic vectors are a malicious plugin, a prompt-injection payload delivered through content the agent is asked to process, or a compromised external input. At this point the attacker is confined to the sandbox, which is the whole point of the sandbox.

Stage 2 — Exfiltration. Two flaws break confinement for reads. CVE-2026-44113 is a time-of-check/time-of-use race: the sandbox validates a path, then reads it, and an attacker who swaps a symbolic link in the window between those two operations can redirect the read to a file outside the mount root. CVE-2026-44115 leaks secrets a different way — the gap between command validation and shell execution lets environment variables expand inside an unquoted heredoc, so a command that passed validation as "safe" returns the contents of API_KEY, DATABASE_URL, and similar at execution time.

# Illustrative sketch of the heredoc expansion problem (NOT functional exploit code).
# A command that looks like a static, allowlisted "echo a banner" passes validation,
# but the unquoted heredoc delimiter causes the shell to expand secrets at run time.

cat <<EOF
status: ok
token: $OPENCLAW_API_KEY
db:    $DATABASE_URL
EOF
# Quoting the delimiter ( <<'EOF' ) disables expansion. The bug is that validation
# did not require the quoted form before passing the command to the shell.

Stage 3 — Privilege escalation. CVE-2026-44118 is the pivot from "process in the sandbox" to "owner of the agent." OpenClaw trusts a client-controlled senderIsOwner flag without checking it against an authenticated session. A locally executing process that holds a valid bearer token can set the flag and be treated as the owner, gaining owner-level control over the agent and everything it can reach.

// Illustrative: the request carries an ownership claim the server should never trust
// from the client. NOT functional exploit code.
{
  "session": "<valid-bearer-token>",
  "senderIsOwner": true,
  "action": "configure",
  "payload": { "...": "owner-only operation" }
}

Stage 4 — Persistence. CVE-2026-44112, the most severe at CVSS 9.6, is the mirror image of the read-escape: a TOCTOU race between path validation and the write itself in OpenShell. The sandbox's automated write behavior amplifies the impact, letting an attacker land files outside the mount root — config tampering, a modified startup hook, or a planted backdoor that re-establishes access after a restart.

Put end to end: a prompt-injection foothold reads the agent's credentials, escalates to owner, and writes a backdoor — all without tripping a single "this binary should not be running" alarm, because no foreign binary ever runs. The agent does it to itself.

Detection

Because the chain abuses the agent's own legitimate operations, signature-based detection is weak. Behavioral and filesystem telemetry are where you get coverage.

• TOCTOU / symlink-swap signals. Watch for the OpenShell process resolving a path and then operating on a different inode, or operating on paths that resolve outside the configured mount root. On Linux, auditd rules on open, openat, rename, and symlink for the agent's UID, correlated by PID and time window, will surface the validate-then-divert pattern.
• Writes outside the mount root. Any write by the agent process to paths outside its declared working directory or sandbox mount is a high-fidelity signal for CVE-2026-44112 exploitation. File-integrity monitoring on startup hooks, plugin directories, and config files matters most.
• Credential egress. Heredoc expansion (CVE-2026-44115) shows up as the agent emitting strings that match secret patterns (sk-, AKIA, JWT shapes, DATABASE_URL values) in tool output or network responses. Egress inspection and secret-pattern scanning on agent output catches it.
• Ownership-claim anomalies. Log every request that sets senderIsOwner and alert when the flag is set by a session that was not the original owner session. A sudden jump to owner-level operations from a process that began as a constrained tool call is the escalation signature.
• Exposure inventory. Run a Shodan/ZoomEye or internal scan for OpenClaw on your public ranges. Any internet-reachable instance below 2026.4.22 should be treated as presumed-targeted, given active scanning at this exposure scale.

What to do Monday morning

1. Upgrade now. Move every OpenClaw instance to 2026.4.22 or later. All earlier versions are vulnerable to the full chain. This is the single highest-leverage action.
2. Rotate every secret the agent could read. Assume CVE-2026-44115 / CVE-2026-44113 exfiltrated credentials on any exposed, unpatched instance. Rotate API keys, database credentials, OAuth tokens, and SaaS integration secrets the agent had access to. Prioritize Telegram, Discord, and Microsoft Agent 365 integration tokens.
3. Get exposed instances off the public internet. No agent runtime that holds credentials and runs a shell belongs on a public IP. Put OpenClaw behind a VPN, identity-aware proxy, or at minimum an allowlist. Confirm with an external scan.
4. Audit the agent's identity as a privileged account. The agent has the union of every credential it can read. Inventory that blast radius, scope it down to least privilege, and revoke anything it does not need for its task.
5. Hunt for persistence. On any instance that was exposed and unpatched, inspect plugin directories, startup hooks, and OpenClaw config for unexpected modifications dated before the upgrade. CVE-2026-44112's payoff is a backdoor that survives the patch.
6. Add the behavioral detections above for writes outside the mount root, anomalous ownership claims, and secret-pattern egress, so the next chain is caught at runtime rather than at disclosure.

Why this keeps happening

The Claw Chain is the agent-era version of a very old pattern. TOCTOU bugs (CVE-2026-44112 and -44113) have plagued privileged software for decades; the novelty here is that the privileged software is an LLM-driven agent whose entire job is to take fuzzy instructions and turn them into filesystem and shell operations. Two structural pressures make this class of bug recurrent in agent runtimes:

First, agents collapse the gap between input and action. A traditional service validates input, then acts. An agent reads attacker-influenceable content (a document, a message, a webpage), reasons about it, and then performs privileged operations — so the prompt-injection foothold in Stage 1 is not an edge case, it is the normal data path. The sandbox is the only thing standing between untrusted input and the host, which is why a sandbox-escape race is catastrophic rather than merely serious.

Second, agent runtimes accumulate ambient credentials. OpenClaw is valuable precisely because it can reach filesystems, SaaS apps, and stored secrets. That makes the agent's identity the most over-privileged account in the environment, and the senderIsOwner flaw (CVE-2026-44118) shows how thin the authorization layer often is — a client-supplied boolean trusted without session validation. When the perimeter is one unvalidated flag and the prize is owner-level control over everything the agent touches, attackers will find the flag.

The structural fix

You cannot eliminate prompt-injection footholds, so the defensible posture is to shrink what a foothold is worth. That means treating each agent and each tool it can invoke as a scoped, governed identity rather than a trusted insider. Capability scoping limits an agent to the minimum set of tools and credentials its task requires, so a Stage-2 exfiltration reaches far less, and MCP server governance plus MCP server security give you an inventory of what each agent server is actually allowed to do and where it drifts from that baseline. Pairing that with runtime guardrails that flag writes outside the sandbox root and anomalous ownership claims does not prevent the TOCTOU race, but it shortens dwell time and caps blast radius — the agent can still be tricked, but it can no longer quietly become the owner of your environment. Governing agents as first-class privileged identities is the throughline in how to govern AI agents.

What we know we don't know

• In-the-wild exploitation. Cyera disclosed after patches landed and reported responsible disclosure. As of this writing there is no public confirmation of Claw Chain being exploited in the wild, though the ~245,000-instance exposure surface makes scanning likely. Treat exposed, unpatched instances as presumed-targeted, not confirmed-breached.
• Real-world deployment counts. The 65,000 / 180,000 figures are public-scan counts (Shodan / ZoomEye), which capture internet-reachable instances, not internal deployments. Total deployment is almost certainly higher and unmeasured.
• Attribution and victim data. No specific victims, breach figures, or threat-actor attribution were public at disclosure.

References

• Cyera Research — Claw Chain: Four Chainable Vulnerabilities in OpenClaw (May 15, 2026): https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw
• The Hacker News — Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence (May 2026): https://thehackernews.com/2026/05/four-openclaw-flaws-enable-data-theft.html
• eSecurity Planet — OpenClaw Vulnerabilities Could Enable Full AI Agent Takeover: https://www.esecurityplanet.com/threats/openclaw-vulnerabilities-could-enable-full-ai-agent-takeover/
• The Next Web — Four OpenClaw flaws let attackers steal data, escalate privileges, and plant backdoors: https://thenextweb.com/news/openclaw-claw-chain-vulnerabilities-sandbox-escape
• Cybersecurity News — OpenClaw Chain Vulnerabilities Expose 245,000 Public AI Agent Servers: https://cybersecuritynews.com/openclaw-chain-vulnerabilities/
• Rescana — Claw Chain Critical OpenClaw Vulnerabilities (CVE-2026-44112/44113/44115/44118): https://www.rescana.com/post/claw-chain-critical-openclaw-vulnerabilities-cve-2026-44112-44113-44115-44118-enable-data-theft-privilege-escalation-and/

Internal Safeguard resources:

• MCP Server governance
• MCP server security
• Capability scoping
• Govern AI agents
• Prompt injection
• Incident response