'Claw Chain' Vulnerabilities Threaten OpenClaw Deployments TechTarget and Informa Tech’s Digital Business Combine.TechTarget and InformaTechTarget and Informa Tech’s Digital Business Combine.Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities.Dark Reading Resource LibraryBlack Hat NewsOmdia CybersecurityAdvertiseNewsletter Sign-UpNewsletter Sign-UpCybersecurity TopicsRelated TopicsApplication SecurityCybersecurity CareersCloud SecurityCyber RiskCyberattacks & Data BreachesCybersecurity AnalyticsCybersecurity OperationsData PrivacyEndpoint SecurityICS/OT SecurityIdentity & Access Mgmt SecurityInsider ThreatsIoTMobile SecurityPerimeterPhysical SecurityRemote WorkforceThreat IntelligenceVulnerabilities & ThreatsRecent in Cybersecurity TopicsApplication SecurityShai-Hulud Worm Clones Spread After Code ReleaseShai-Hulud Worm Clones Spread After Code ReleasebyAlexander CulafiMay 18, 20264 Min ReadSponsored ContentDevs Got Agentic Workflows. What Did Security Engineers Get?Devs Got Agentic Workflows. What Did Security Engineers Get?May 18, 20264 Min ReadWorld Related TopicsDR GlobalMiddle East & AfricaAsia PacificLatin AmericaSee AllThe EdgeDR TechnologyEventsRelated TopicsUpcoming EventsPodcastsWebinarsSEE ALLResourcesRelated TopicsResource LibraryNewslettersPodcastsReportsVideosWebinarsWhite Papers Partner PerspectivesDark Reading Resource LibraryApplication SecurityThreat IntelligenceVulnerabilities & ThreatsNews'Claw Chain' Vulnerabilities Threaten OpenClaw DeploymentsThe now patched vulnerabilities in the rapidly growing AI agent framework allow attackers to steal credentials, escalate privileges, and maintain persistence.Jai Vijayan,Contributing WriterMay 18, 20265 Min ReadSource: jackpress via ShutterstockSecurity researchers have uncovered four new vulnerabilities in the OpenClaw open source framework that attackers can chain to gain initial access, steal credentials, escalate privileges, and establish persistent backdoor access on compromised systems.The maintainers of the framework, which is for deploying autonomous AI agents, have patched all four vulnerabilities after data security firm Cyera reported it to them last month. The flaws, which Cyera dubbed "Claw Chain," affect all OpenClaw versions available prior to April 23, 2026 (2026.4.22).Four Chainable OpenClaw VulnerabilitiesThe most severe of the flaws, CVE-2026-44112 has a CVSS score of 9.6 and stems from a time-of-check/time-of-use race condition (TOCTOU) on OpenClaw's OpenShell sandbox. The vulnerability gives attackers a way to modify system configuration files, drop malicious backdoors, and ultimately achieve persistent, system-level control over the host. The next most severe is CVE-2026-44115 (CVSS: 8.8), a logic flaw that attackers can exploit to access API keys, tokens, credentials and other sensitive data. The other two vulnerabilities are CVE-2026-44118 (CVSS:7.8), a privilege escalation vulnerability tied to improper session validation and CVE-2026-44113 (CVSS:7.8), another TOCTOU vulnerability that allows attackers to improperly access system configuration files, API keys, credentials, or other internal data.Related:Shai-Hulud Worm Clones Spread After Code Release"The four vulnerabilities are individually meaningful, but their combined effect is the more important story," Cyera said in a recent report. "From a single supply-chain-style foothold, an attacker can chain three of them in parallel from one entry point." The security vendor described the attack chain as potentially beginning with an adversary gaining an initial foothold through a malicious plug-in, a manipulated prompt, or or another external data source that an AI agent might typically process. Once inside the sandbox, an attacker could use the read and command execution flaws to collect credentials and sensitive files. They could then use those credentials to exploit the privilege escalation vulnerability and gain administrative control over the agent environment and then plant backdoors for persistent long term access, according to Cyera.What makes this attack chain particularly difficult to detect is that each step exploits the agent's own legitimate capabilities and privileges, making the activity look like typical agent behavior to conventional security monitoring tools, Cyera noted. "By weaponizing the agent's own privileges, an adversary moves through data access, privilege escalation, and persistence — using the agent as their hands inside the environment," the company said. "Each step looks like normal agent behavior to traditional controls, broadening blast radius and making detection significantly harder."Related:Attackers Weaponize RubyGems for Data Dead DropsHeightening Risks for Agentic AIThe Claw Chain flaws are the latest reminder of how the rapid deployment of AI agent platforms is exposing enterprises to new security risks with organizations increasingly connecting them to sensitive internal systems, cloud environments, software-as-a-service (SaaS) applications, and privileged credentials. OpenClaw, originally called Clawdbot and later MoltBot, has quickly emerged as a breakout project in the open source AI agent space since its launch last November.  The software lets users run AI assistants directly on their own computers to automate workflows, interact with applications, manage information, perform administrative tasks, and carry out multistep actions with minimal human involvement. To deliver that functionality, the platform accesses local files, terminal environments, developer tools, messaging platforms, calendars, APIs, and other connected systems.Related:It's Patch Tuesday for Microsoft & Not a Zero-Day In SightAlmost since its launch, however, researchers have uncovered vulnerabilities and security issues in the platform that organizations have needed to address on an urgent basis. Some examples include a vulnerability that Oasis Security reported last month that gave attackers a way to use a malicious website to hijack AI agents. Another OpenClaw bug enabled token theft (CVE-2026-25253) and others such as CVE-2026-24763, CVE-2026-25157, and CVE-2026-25475 that have enabled command and prompt injection.Justin Fier, senior vice president, offensive security, at Darktrace, says organizations are opening the door to attackers by using technologies like OpenClaw without proper security vetting. "These flaws allow an attacker to carry out the bedrock stages of an attack," Fier says. "They allow the attacker to tamper with restricted configurations, establish persistence on a compromised host through the implementation of backdoors, and make other configuration changes."Because a user might assign trusted permissions to their OpenClaw client, any associated traffic would likely look like normal and hard to detect, he says. "OpenClaw requires very intrusive access to function, including access to the file system, mouse, keyboard, and more," he points out.In addition, users need to give it access to the services they want it to work with, including financial and even health data. "This is an intrusive tool, and putting too much trust in it is the ultimate risk an organization can take," Fier says. "Stack on some CVEs and exploit chains, and the risk compounds greatly." He also advises that organizations need to establish proper governance and visibility of this type of use and take a least-privilege approach to key services across the business.Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now!About the AuthorJai VijayanContributing WriterJai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill.See more from Jai VijayanWant more Dark Reading stories in your Google search results?Add Us NowMore InsightsIndustry ReportsHow Enterprises Are Developing Secure ApplicationsInside RSAC 2026: security leaders reveal the risks redefining your defense strategyHow Enterprises Are Harnessing Emerging Technologies in CybersecurityDitch the Data Center: Understanding Flexible Cloud Infrastructure Security Management2025 State of MalwareAccess More ResearchWebinarsHow Security Teams should apply Threat Intelligence into their DefensesYour Guide to Securing AI Adoption in Your OrganizationWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspacePrompt Injection Is Just the Start: Securing LLMs in AI SystemsMore WebinarsEditor's ChoiceThreat IntelligenceFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberFrom Stuxnet to ChatGPT: 20 News Events That Shaped CyberbyDark Reading Editorial TeamMay 6, 202631 Min ReadCyber RiskPhysical Cargo Theft Gets a Boost From CybercriminalsPhysical Cargo Theft Gets a Boost From CybercriminalsbyRobert LemosMay 4, 20265 Min ReadWant more Dark Reading stories in your Google search results?Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.SubscribeRSAC 2026: key news & insightsAt RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much moreGet Your RecapWebinarsHow Security Teams should apply Threat Intelligence into their DefensesThurs, June 11, 2026 at 1pm ESTYour Guide to Securing AI Adoption in Your OrganizationTues, June 9, 2026 at 1pm ESTWhat is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization?Wed, June 3, 2026 at 1pm ESTThe New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud WorkspaceWed, June 24,2026 at 1pm ESTPrompt Injection Is Just the Start: Securing LLMs in AI SystemsTues, May 26, 2026, at 1pm ESTMore WebinarsBlack Hat USA | Mandalay Bay, Las VegasThe premier cybersecurity event of the year returns to Mandalay Bay with a re‑engineered, six‑day program built to ignite innovation, push boundaries, and bring the global security community together like never before. Use code: DARKREADING to save $200 on a Briefings pass or $100 on a Business pass.GET YOUR PASSDiscover MoreBlack HatOmdiaWorking With UsAbout UsAdvertiseReprintsJoin UsNewsletter Sign-UpFollow UsCopyright © 2026 TechTarget, Inc. d/b/a Informa TechTarget. This website is owned and operated by Informa TechTarget, part of a global network that informs, influences and connects the world’s technology buyers and sellers. All copyright resides with them. Informa PLC’s registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. TechTarget, Inc.’s registered office is 275 Grove St. Newton, MA 02466.Home|Cookie Policy|Privacy|Terms of UseYour Privacy Choices

Security researchers have uncovered four chainable vulnerabilities in the OpenClaw open source framework, dubbed the "Claw Chain," which pose significant threats to OpenClaw deployments. These flaws allow attackers to sequentially exploit weaknesses to gain initial access, steal credentials, escalate privileges, and establish persistent backdoor access on compromised systems. The maintainers of the framework patched these vulnerabilities following notification from the data security firm Cyera. The most severe vulnerability is CVE-2026-44112, which has a CVSS score of 9.6 and originates from a time-of-check/time-of-use race condition (TOCTOU) within OpenClaw's OpenShell sandbox. This flaw permits attackers to modify system configuration files, insert malicious backdoors, and ultimately achieve persistent, system-level control over the host. Other critical vulnerabilities include CVE-2026-44115, a logic flaw allowing access to API keys, tokens, credentials, and other sensitive data, and CVE-2026-44118, a privilege escalation vulnerability tied to improper session validation. Furthermore, CVE-2026-44113, another TOCTOU vulnerability, allows attackers to improperly access system configuration files, API keys, or internal data.

Cyera emphasized that the combined effect of these flaws is more significant than any single vulnerability, noting that an attacker can chain three of these vulnerabilities in parallel from a single entry point. The attack chain can commence when an adversary gains an initial foothold, possibly through a malicious plug-in, a manipulated prompt, or another external data source processed by an AI agent. Once inside the sandbox, attackers can utilize read and command execution flaws to gather credentials and sensitive files. Subsequently, they can leverage the privilege escalation vulnerability to gain administrative control over the agent environment and install backdoors for long-term persistence.

What makes this attack chain particularly insidious is that each step exploits the agent's own legitimate capabilities and privileges, making the malicious activity appear as typical agent behavior to conventional security monitoring tools. This approach of weaponizing the agent's own privileges allows an adversary to travel through data access, privilege escalation, and persistence, effectively using the agent as an extension of their own control within the environment. Consequently, the activity often mimics normal agent operations, significantly broadening the potential blast radius and making detection by traditional controls considerably more challenging.

The presence of these flaws highlights increased risks associated with the rapid deployment of AI agent platforms, especially as organizations increasingly connect them to sensitive internal systems, cloud environments, and privileged credentials. OpenClaw, which was originally named Clawdbot and later MoltBot, functions by allowing users to run AI assistants locally to automate workflows, interact with applications, manage information, and perform administrative tasks by accessing local files, terminal environments, APIs, and other connected systems. Expert analysis suggests that organizations opening themselves up to technologies like OpenClaw without rigorous security vetting expose themselves to these risks. Justin Fier, a senior vice president of offensive security at Darktrace, advises that these flaws enable attackers to execute the foundational stages of an attack, allowing them to tamper with restricted configurations, establish persistence via backdoors, and modify system settings.

Fier further points out that because tools like OpenClaw require highly intrusive access to the operating system, including access to the file system, mouse, and keyboard, placing excessive trust in them represents a major organizational risk. When stacking multiple CVEs and exploit chains, this risk compounds substantially. Therefore, security experts recommend that organizations establish robust governance and visibility over the use of such tools, adopting a principle of least privilege for all key services across the business.