Cyera Research has disclosed four chained security vulnerabilities in OpenClaw, a widely deployed AI agent platform, that together enable an attacker to escape sandboxes, steal credentials, bypass input validation, and seize persistent control over compromised hosts. The vulnerability chain, named Claw Chain, affects an estimated 245,000 publicly exposed OpenClaw servers β€” a number drawn from Shodan (~65,000) and ZoomEye (~180,000) scans conducted before the public disclosure.

All four CVEs are addressed in OpenClaw version 2026.4.22. Organizations that haven’t patched have a large and actively scanned attack surface.

The Four CVEs

Claw Chain is four vulnerabilities that, individually, range from moderate to critical. Chained in sequence, they constitute full compromise.

CVE-2026-44112 β€” A time-of-check/time-of-use (TOCTOU) race condition in the OpenShell managed sandbox backend. An attacker who wins the race can redirect writes outside the intended mount root, escaping the sandbox and tampering with files on the underlying host. This is the entry point for planting backdoors and modifying configuration.

CVE-2026-44113 β€” A second TOCTOU race condition in OpenShell, this time affecting read operations. By winning the race on a file read, an attacker can pull files from outside the sandbox’s mount root β€” reaching system files, credentials, and internal artifacts that the sandbox was designed to isolate.

CVE-2026-44115 β€” An incomplete allowlist validation flaw. OpenClaw’s allowlist is designed to restrict which inputs are accepted, but the validation logic fails to account for shell expansion tokens embedded in here documents. An attacker can construct a payload that passes validation while executing arbitrary shell expansion on the backend, bypassing the allowlist entirely.

CVE-2026-44118 β€” OpenClaw trusts a client-controlled ownership flag called senderIsOwner without validating it against the authenticated session. An attacker can set this flag to claim ownership they don’t have, enabling unauthorized administrative operations. ARMO tracks this specifically as CVE-2026-32922 and rates it critical for cloud security teams, as it allows privilege escalation without any prior foothold in the target system.

The Attack Chain

Cyera’s research outlines a realistic exploit sequence:

  1. Foothold via CVE-2026-44118 β€” Claim false ownership using the senderIsOwner flag to gain elevated access without credentials
  2. Credential exfiltration via CVE-2026-44113 β€” Read outside the sandbox to extract system credentials and internal configuration
  3. Sandbox escape via CVE-2026-44112 β€” Race the TOCTOU window to write files outside the mount root, placing a backdoor on the host
  4. Allowlist bypass via CVE-2026-44115 β€” Use shell expansion tokens in a here document to execute arbitrary commands through input that passes validation

The result is persistent, credentialed access to the host β€” with a backdoor in place and the attacker holding credentials that may provide lateral movement opportunities across the broader environment.

The Exposure Scale

The 245,000-server estimate is striking, and it reflects how quickly OpenClaw has scaled as AI agent infrastructure. Many of these deployments are cloud-hosted, internet-accessible, and running with default or permissive configurations. The Shodan and ZoomEye scans were conducted before the Cyera disclosure, meaning the public attack surface number has been known to researchers β€” and potentially to threat actors β€” for some time.

AI agent platforms are high-value targets. They often have broad access to internal APIs, credentials, knowledge bases, and production systems by design. A compromised OpenClaw server isn’t just a compromised server β€” it’s potentially a pivot point into everything the AI agent was authorized to touch.

What CVE-2026-32922 Means for Cloud Teams

The senderIsOwner flaw identified as CVE-2026-32922 deserves special attention for organizations running OpenClaw in cloud environments. Unlike the TOCTOU flaws, which require timing precision and active exploitation, this vulnerability is straightforward: modify a field in the request, claim ownership, escalate. ARMO’s writeup specifically flags it for cloud security teams because the privilege escalation path doesn’t require a prior foothold β€” an external attacker can trigger it directly against an exposed API endpoint.

Patch and Remediation

The fix is straightforward: update to OpenClaw 2026.4.22, which addresses all four CVEs. Cyera coordinated disclosure with the OpenClaw maintainers before publishing.

For teams that cannot immediately patch:

  • Restrict public exposure of OpenClaw API endpoints via network controls or WAF rules
  • Audit senderIsOwner flag handling in request logs for anomalous ownership claims
  • Review sandbox file access logs for reads or writes outside expected mount roots
  • Treat OpenClaw processes with the same credential isolation as other privileged service accounts

The GitHub repository jgamblin/OpenClawCVEs is tracking these CVEs and will be updated as additional details emerge.

Sources: