4 vulnerabilities within the OpenClaw AI assistant might be chained collectively to plant backdoors on the underlying host, cybersecurity agency Cyera warns.
The bugs, collectively often called Claw Chain, enable an attacker with code execution privileges contained in the sandbox to manage the agent runtime and abuse it to compromise the system.
In keeping with Cyera, the attacker can depend on immediate injections, malicious plugins, and compromised exterior enter to set off the assault chain and switch the AI into their very own assistant.
After gaining code execution throughout the OpenShell sandbox, the attacker can exploit a race situation (CVE-2026-44113) to learn recordsdata outdoors the mount root, or an exec allowlist evaluation bug (CVE-2026-44115) to execute unapproved instructions at runtime.
Profitable exploitation of those points, Cyera notes, permits the attacker to bypass sandbox restrictions and leak credentials, API keys, tokens, configuration recordsdata, and different delicate knowledge.
Subsequent, the attacker can exploit an MCP loopback flaw (CVE-2026-44118) to control the unverified possession flag and elevate their privileges to owner-level. The attacker positive aspects entry to crucial administration capabilities, together with configuration and orchestration of execution.
Lastly, the attacker can exploit the fourth vulnerability, a critical-severity race situation within the OpenShell sandbox (CVE-2026-44112, CVSS rating of 9.6), to write down knowledge outdoors the sandbox boundary. It permits the attacker to switch configurations, plant backdoors, and acquire persistent management of the host.
“By weaponizing the agent’s personal privileges, an adversary strikes by way of knowledge entry, privilege escalation, and persistence – utilizing the agent as their palms contained in the setting. Every step appears like regular agent habits to conventional controls, broadening blast radius and making detection considerably more durable,” Cyera says.
The cybersecurity agency says there are over 60,000 publicly accessible OpenClaw cases, noting that the brokers sometimes have broad entry to inner programs, delicate knowledge, and secrets and techniques.
Attackers efficiently chaining the Claw Chain bugs may compromise setting variables, tokens, authentication materials, inner configurations, system credentials, supply code, consumer prompts and outputs, dialog historical past, and privileged operations.
“Importantly, this chain doesn’t depend on a single crucial exploit like arbitrary command execution. As an alternative, it demonstrates how a number of smaller weaknesses (knowledge leakage, race circumstances, and improper entry management) might be exploited in parallel from a single foothold to realize a full compromise situation,” Cyera notes.
All 4 vulnerabilities had been reported to OpenClaw’s maintainers on April 22, and patches had been rolled out the subsequent day.
