'Claw Chain' Vulnerabilities Threaten OpenClaw Deployments

'Claw Chain' Vulnerabilities Threaten OpenClaw Deployments

Newsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsEndpoint SecurityChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsChina's Webworm Uses Discord, Microsoft Graphs to Hack EU GovernmentsbyAlexander CulafiMay 22, 20264 Min ReadApplication SecurityGitHub Confirms Breach, 4K Internal Repos StolenGitHub Confirms Breach, 4K Internal Repos StolenbyAlexander CulafiMay 20, 20263 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryApplication SecurityThreat IntelligenceVulnerabilities & ThreatsNews'Claw Chain' Vulnerabilities Threaten OpenClaw DeploymentsThe now-patched vulnerabilities in the rapidly growing AI agent framework allow attackers to steal credentials, escalate privileges, and maintain persistence.Jai Vijayan,Contributing WriterMay 18, 20265 Min ReadSource: jackpress via ShutterstockSecurity researchers have uncovered four new vulnerabilities in the OpenClaw open source framework that attackers can chain to gain initial access, steal credentials, escalate privileges, and establish persistent backdoor access on compromised systems.The maintainers of the framework, which is for deploying autonomous AI agents, have patched all four vulnerabilities after data security firm Cyera reported it to them last month. The flaws, which Cyera dubbed "Claw Chain," affect all OpenClaw versions available prior to April 23, 2026 (2026.4.22).Four Chainable OpenClaw VulnerabilitiesThe most severe of the flaws, CVE-2026-44112 has a CVSS score of 9.6 and stems from a time-of-check/time-of-use race condition (TOCTOU) on OpenClaw's OpenShell sandbox. The vulnerability gives attackers a way to modify system configuration files, drop malicious backdoors, and ultimately achieve persistent, system-level control over the host. The next most severe is CVE-2026-44115 (CVSS: 8.8), a logic flaw that attackers can exploit to access API keys, tokens, credentials and other sensitive data. The other two vulnerabilities are CVE-2026-44118 (CVSS:7.8), a privilege escalation vulnerability tied to improper session validation and CVE-2026-44113 (CVSS:7.8), another TOCTOU vulnerability that allows attackers to improperly access system configuration files, API keys, credentials, or other internal data.Related:GitHub Confirms Breach, 4K Internal Repos Stolen"The four vulnerabilities are individually meaningful, but their combined effect is the more important story," Cyera said in a recent report. "From a single supply-chain-style foothold, an attacker can chain three of them in parallel from one entry point." The security vendor described the attack chain as potentially beginning with an adversary gaining an initial foothold through a malicious plug-in, a manipulated prompt, or or another external data source that an AI agent might typically process. Once inside the sandbox, an attacker could use the read and command execution flaws to collect credentials and sensitive files. They could then use those credentials to exploit the privilege escalation vulnerability and gain administrative control over the agent environment and then plant backdoors for persistent long term access, according to Cyera.What makes this attack chain particularly difficult to detect is that each step exploits the agent's own legitimate capabilities and privileges, making the activity look like typical agent behavior to conventional security monitoring tools, Cyera noted. "By weaponizing the agent's own privileges, an adversary moves through data access, privilege escalation, and persistence — using the agent as their hands inside the environment," the company said. "Each step looks like normal agent behavior to traditional controls, broadening blast radius and making detection significantly harder."Related:Shai-Hulud Worm Clones Spread After Code ReleaseHeightening Risks for Agentic AIThe Claw Chain flaws are the latest reminder of how the rapid deployment of AI agent platforms is exposing enterprises to new security risks with organizations increasingly connecting them to sensitive internal systems, cloud environments, software-as-a-service (SaaS) applications, and privileged credentials. OpenClaw, originally called Clawdbot and later MoltBot, has quickly emerged as a breakout project in the open source AI agent space since its launch last November.  The software lets users run AI assistants directly on their own computers to automate workflows, interact with applications, manage information, perform administrative tasks, and carry out multistep actions with minimal human involvement. To deliver that functionality, the platform accesses local files, terminal environments, developer tools, messaging platforms, calendars, APIs, and other connected systems.Related:Attackers Weaponize RubyGems for Data Dead DropsAlmost since its launch, however, researchers have uncovered vulnerabilities and security issues in the platform that organizations have needed to address on an urgent basis. Some examples include a vulnerability that Oasis Security reported last month that gave attackers a way to use a malicious website to hijack AI agents. Another OpenClaw bug enabled token theft (CVE-2026-25253) and others such as CVE-2026-24763, CVE-2026-25157, and CVE-2026-25475 that have enabled command and prompt injection.Justin Fier, senior vice president, offensive security, at Darktrace, says organizations are opening the door to attackers by using technologies like OpenClaw without proper security vetting. "These flaws allow an attacker to carry out the bedrock stages of an attack," Fier says. "They allow the attacker to tamper with restricted configurations, establish persistence on a compromised host through the implementation of backdoors, and make other configuration changes."Because a user might assign trusted permissions to their OpenClaw client, any associated traffic would likely look like normal and hard to detect, he says. "OpenClaw requires very intrusive access to function, including access to the file system, mouse, keyboard, and more," he points out.In addition, users need to give it access to the services they want it to work with, including financial and even health data. "This is an intrusive tool, and putting too much trust in it is the ultimate risk an organization can take," Fier says. "Stack on some CVEs and exploit chains, and the risk compounds greatly." He also advises that organizations need to establish proper governance and visibility of this type of use and take a least-privilege approach to key services across the business.Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!About the AuthorJai VijayanContributing WriterIllinois-based Jai Vijayan is a veteran, award-winning technology journalist with more than 25 years of experience covering cybersecurity. His information security reporting has explored everything from ransomware, nation-state threats, and identity security to AI risk, critical infrastructure protection, software supply chain security, cloud security and emerging enterprise technologies. Over the course of his career, Jai has written news stories, feature articles, survey reports, white papers, and e-books for enterprise and technology audiences. He has also moderated panel discussions and executive roundtables featuring CISOs, security researchers, and industry leaders. Jai previously served as senior editor at Computerworld, where he covered information security and data-privacy issues. His work has also appeared in CSO Online, InformationWeek, The Christian Science Monitor Passcode, The Economic Times, and other publications.His work has earned multiple industry honors, including a Joint ASBPE Excellence Award for Best Coverage of Government IT, and a Joint Jesse H. Neal Award for wireless LAN security coverage. Jai holds a Master’s degree in statistics from Bangalore University, and studied broadcasting and electronic communication at Marquette University in Milwaukee. See more from Jai VijayanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Organizations Are Managing Incident ResponseHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security ManagementAccess More ResearchWebinarsBuild vs. Buy: The Hidden Cost of Building Your Own AI Security StackDefending in the Shadow Era: When the CVE Feed Goes DarkBuilding SecOps That Make the Most of Every DollarAI-Powered Credential Security: Intelligence Without ExposureAI-Powered Cybersecurity for Resource-Constrained OrganizationsMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Th