Security researchers have uncovered four new vulnerabilities in the OpenClaw open source framework that attackers can chain to gain initial access, steal credentials, escalate privileges, and establish persistent backdoor access on compromised systems.

The maintainers of the framework, which is for deploying autonomous AI agents, have patched all four vulnerabilities after data security firm Cyera reported it to them last month. The flaws, which Cyera dubbed “Claw Chain,” affect all OpenClaw versions available prior to April 23, 2026 (2026.4.22).

Four Chainable OpenClaw Vulnerabilities

The most severe of the flaws, CVE-2026-44112 has a CVSS score of 9.6 and stems from a time-of-check/time-of-use race condition (TOCTOU) on OpenClaw’s OpenShell sandbox. The vulnerability gives attackers a way to modify system configuration files, drop malicious backdoors, and ultimately achieve persistent, system-level control over the host. The next most severe is CVE-2026-44115 (CVSS: 8.8), a logic flaw that attackers can exploit to access API keys, tokens, credentials and other sensitive data. The other two vulnerabilities are CVE-2026-44118 (CVSS:7.8), a privilege escalation vulnerability tied to improper session validation and CVE-2026-44113 (CVSS:7.8), another TOCTOU vulnerability that allows attackers to improperly access system configuration files, API keys, credentials, or other internal data.

Related:Shai-Hulud Worm Clones Spread After Code Release

“The four vulnerabilities are individually meaningful, but their combined effect is the more important story,” Cyera said in a recent report. “From a single supply-chain-style foothold, an attacker can chain three of them in parallel from one entry point.” 

The security vendor described the attack chain as potentially beginning with an adversary gaining an initial foothold through a malicious plug-in, a manipulated prompt, or or another external data source that an AI agent might typically process. Once inside the sandbox, an attacker could use the read and command execution flaws to collect credentials and sensitive files. They could then use those credentials to exploit the privilege escalation vulnerability and gain administrative control over the agent environment and then plant backdoors for persistent long term access, according to Cyera.

What makes this attack chain particularly difficult to detect is that each step exploits the agent’s own legitimate capabilities and privileges, making the activity look like typical agent behavior to conventional security monitoring tools, Cyera noted. “By weaponizing the agent’s own privileges, an adversary moves through data access, privilege escalation, and persistence — using the agent as their hands inside the environment,” the company said. “Each step looks like normal agent behavior to traditional controls, broadening blast radius and making detection significantly harder.”

Related:Attackers Weaponize RubyGems for Data Dead Drops

Heightening Risks for Agentic AI

The Claw Chain flaws are the latest reminder of how the rapid deployment of AI agent platforms is exposing enterprises to new security risks with organizations increasingly connecting them to sensitive internal systems, cloud environments, software-as-a-service (SaaS) applications, and privileged credentials. OpenClaw, originally called Clawdbot and later MoltBot, has quickly emerged as a breakout project in the open source AI agent space since its launch last November.  

The software lets users run AI assistants directly on their own computers to automate workflows, interact with applications, manage information, perform administrative tasks, and carry out multistep actions with minimal human involvement. To deliver that functionality, the platform accesses local files, terminal environments, developer tools, messaging platforms, calendars, APIs, and other connected systems.

Related:It’s Patch Tuesday for Microsoft & Not a Zero-Day In Sight

Almost since its launch, however, researchers have uncovered vulnerabilities and security issues in the platform that organizations have needed to address on an urgent basis. Some examples include a vulnerability that Oasis Security reported last month that gave attackers a way to use a malicious website to hijack AI agents. Another OpenClaw bug enabled token theft (CVE-2026-25253) and others such as CVE-2026-24763, CVE-2026-25157, and CVE-2026-25475 that have enabled command and prompt injection.

Justin Fier, senior vice president, offensive security, at Darktrace, says organizations are opening the door to attackers by using technologies like OpenClaw without proper security vetting. “These flaws allow an attacker to carry out the bedrock stages of an attack,” Fier says. “They allow the attacker to tamper with restricted configurations, establish persistence on a compromised host through the implementation of backdoors, and make other configuration changes.”

Because a user might assign trusted permissions to their OpenClaw client, any associated traffic would likely look like normal and hard to detect, he says. “OpenClaw requires very intrusive access to function, including access to the file system, mouse, keyboard, and more,” he points out.

In addition, users need to give it access to the services they want it to work with, including financial and even health data. “This is an intrusive tool, and putting too much trust in it is the ultimate risk an organization can take,” Fier says. “Stack on some CVEs and exploit chains, and the risk compounds greatly.” 

He also advises that organizations need to establish proper governance and visibility of this type of use and take a least-privilege approach to key services across the business.

Don’t miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!





Source link

#

Comments are closed