Critical Vulnerabilities in OpenClaw Expose 245,000 AI Agent Servers to Potential Attacks
OpenClaw, an open-source platform for autonomous AI agents, has recently been found to contain a series of critical vulnerabilities that could potentially expose approximately 245,000 publicly accessible server instances to remote exploitation, credential theft, and persistent backdoor installations. Originally launched as Clawdbot in late 2025, OpenClaw integrates large language models directly with filesystems, SaaS applications, credentials, and execution environments. Its rapid adoption by enterprises for IT automation, customer service pipelines, and operational integrations with platforms like Telegram, Discord, and Microsoft Agent 365 has made it a high-value target for cyber attackers.
Identified Vulnerabilities:
Cyera’s research team has identified four previously undisclosed vulnerabilities in OpenClaw, collectively referred to as the Claw Chain. These vulnerabilities have been patched as of April 2026. The vulnerabilities are as follows:
1. CVE-2026-44112 (CVSS 9.6 – Critical): A time-of-check/time-of-use (TOCTOU) race condition in the OpenShell sandbox allows attackers to redirect write operations outside the sandbox boundary. This can enable configuration tampering and the placement of persistent backdoors on the host system.
2. CVE-2026-44115 (CVSS 8.8 – High): A gap between OpenClaw’s command validation and shell execution permits environment variables—including API keys, tokens, and credentials—to leak through unquoted heredocs that appear safe during validation.
3. CVE-2026-44118 (CVSS 7.8 – High): OpenClaw trusts a client-controlled ownership flag (`senderIsOwner`) without cross-referencing the authenticated session. This oversight allows a local process with a valid bearer token to escalate to owner-level control over gateway configuration, scheduling, and execution management.
4. CVE-2026-44113 (CVSS 7.7 – High): A TOCTOU race condition in read operations enables attackers to swap validated file paths with symbolic links pointing outside the allowed mount root. This exposes system files and internal artifacts that the agent was never intended to access.
Exploitation Potential:
While each vulnerability poses a significant risk individually, their combined exploitation—termed the Claw Chain by Cyera—presents a particularly alarming scenario. An attacker could potentially:
1. Gain Initial Foothold: Achieve code execution within the OpenShell sandbox via a malicious plugin or prompt injection.
2. Exfiltrate Sensitive Data: Utilize CVE-2026-44113 and CVE-2026-44115 to harvest credentials, secrets, and sensitive files.
3. Escalate Privileges: Exploit CVE-2026-44118 to attain owner-level control of the agent runtime.
4. Establish Persistence: Deploy CVE-2026-44112 to plant backdoors and modify future agent behavior.
This attack chain leverages the AI agent’s own privileges, making detection challenging for traditional security controls.
Scope of Exposure:
As of May 2026, scans using Shodan and ZoomEye have identified approximately 65,000 and 180,000 publicly accessible OpenClaw instances, respectively, totaling around 245,000 exposed servers. Enterprises in sectors such as financial services, healthcare, and legal industries are at heightened risk, especially where agent workflows process personally identifiable information (PII), protected health information (PHI), or privileged credentials.
Mitigation Recommendations:
Organizations utilizing OpenClaw should take the following steps to mitigate potential risks:
1. Update OpenClaw Instances: Ensure all OpenClaw instances are updated to the latest version that includes patches for the identified vulnerabilities.
2. Restrict Public Access: Configure OpenClaw servers to limit exposure to the public internet. Implement firewall rules and access controls to restrict access to trusted networks and users.
3. Monitor for Unusual Activity: Establish monitoring mechanisms to detect unusual behavior or unauthorized access attempts. This includes monitoring for unexpected changes in configuration, unauthorized data access, and irregular network traffic patterns.
4. Review and Harden Configurations: Conduct thorough reviews of OpenClaw configurations to identify and rectify any security misconfigurations. Implement best practices for securing AI agent platforms, including the principle of least privilege and regular security audits.
5. Educate and Train Staff: Provide training for staff on the potential risks associated with AI agent platforms and the importance of adhering to security best practices.
By proactively addressing these vulnerabilities and implementing robust security measures, organizations can significantly reduce the risk of exploitation and safeguard their systems and sensitive data.
