TechTarget and Informa Tech’s Digital Business Combine. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise NEWSLETTER SIGN-UP Cybersecurity Topics World The Edge DR Technology Events Resources APPLICATION SECURITY THREAT INTELLIGENCE VULNERABILITIES & THREATS NEWS 'Claw Chain' Vulnerabilities Threaten OpenClaw Deployments The now patched vulnerabilities in the rapidly growing AI agent framework allow attackers to steal credentials, escalate privileges, and maintain persistence. Jai Vijayan,Contributing Writer May 18, 2026 5 Min Read SOURCE: JACKPRESS VIA SHUTTERSTOCK Security researchers have uncovered four new vulnerabilities in the OpenClaw open source framework that attackers can chain to gain initial access, steal credentials, escalate privileges, and establish persistent backdoor access on compromised systems. The maintainers of the framework, which is for deploying autonomous AI agents, have patched all four vulnerabilities after data security firm Cyera reported it to them last month. The flaws, which Cyera dubbed "Claw Chain," affect all OpenClaw versions available prior to April 23, 2026 (2026.4.22). Four Chainable OpenClaw Vulnerabilities The most severe of the flaws, CVE-2026-44112 has a CVSS score of 9.6 and stems from a time-of-check/time-of-use race condition (TOCTOU) on OpenClaw's OpenShell sandbox. The vulnerability gives attackers a way to modify system configuration files, drop malicious backdoors, and ultimately achieve persistent, system-level control over the host. The next most severe is CVE-2026-44115 (CVSS: 8.8), a logic flaw that attackers can exploit to access API keys, tokens, credentials and other sensitive data. The other two vulnerabilities are CVE-2026-44118 (CVSS:7.8), a privilege escalation vulnerability tied to improper session validation and CVE-2026-44113 (CVSS:7.8), another TOCTOU vulnerability that allows attackers to improperly access system configuration files, API keys, credentials, or other internal data. Related:Shai-Hulud Worm Clones Spread After Code Release "The four vulnerabilities are individually meaningful, but their combined effect is the more important story," Cyera said in a recent report. "From a single supply-chain-style foothold, an attacker can chain three of them in parallel from one entry point." The security vendor described the attack chain as potentially beginning with an adversary gaining an initial foothold through a malicious plug-in, a manipulated prompt, or or another external data source that an AI agent might typically process. Once inside the sandbox, an attacker could use the read and command execution flaws to collect credentials and sensitive files. They could then use those credentials to exploit the privilege escalation vulnerability and gain administrative control over the agent environment and then plant backdoors for persistent long term access, according to Cyera. What makes this attack chain particularly difficult to detect is that each step exploits the agent's own legitimate capabilities and privileges, making the activity look like typical agent behavior to conventional security monitoring tools, Cyera noted. "By weaponizing the agent's own privileges, an adversary moves through data access, privilege escalation, and persistence — using the agent as their hands inside the environment," the company said. "Each step looks like normal agent behavior to traditional controls, broadening blast radius and making detection significantly harder." Related:Attackers Weaponize RubyGems for Data Dead Drops Heightening Risks for Agentic AI The Claw Chain flaws are the latest reminder of how the rapid deployment of AI agent platforms is exposing enterprises to new security risks with organizations increasingly connecting them to sensitive internal systems, cloud environments, software-as-a-service (SaaS) applications, and privileged credentials. OpenClaw, originally called Clawdbot and later MoltBot, has quickly emerged as a breakout project in the open source AI agent space since its launch last November. The software lets users run AI assistants directly on their own computers to automate workflows, interact with applications, manage information, perform administrative tasks, and carry out multistep actions with minimal human involvement. To deliver that functionality, the platform accesses local files, terminal environments, developer tools, messaging platforms, calendars, APIs, and other connected systems. Related:It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight Almost since its launch, however, researchers have uncovered vulnerabilities and security issues in the platform that organizations have needed to address on an urgent basis. Some examples include a vulnerability that Oasis Security reported last month that gave attackers a way to use a malicious website to hijack AI agents. Another OpenClaw bug enabled token theft (CVE-2026-25253) and others such as CVE-2026-24763, CVE-2026-25157, and CVE-2026-25475 that have enabled command and prompt injection. Justin Fier, senior vice president, offensive security, at Darktrace, says organizations are opening the door to attackers by using technologies like OpenClaw without proper security vetting. "These flaws allow an attacker to carry out the bedrock stages of an attack," Fier says. "They allow the attacker to tamper with restricted configurations, establish persistence on a compromised host through the implementation of backdoors, and make other configuration changes." Because a user might assign trusted permissions to their OpenClaw client, any associated traffic would likely look like normal and hard to detect, he says. "OpenClaw requires very intrusive access to function, including access to the file system, mouse, keyboard, and more," he points out. In addition, users need to give it access to the services they want it to work with, including financial and even health data. "This is an intrusive tool, and putting too much trust in it is the ultimate risk an organization can take," Fier says. "Stack on some CVEs and exploit chains, and the risk compounds greatly." He also advises that organizations need to establish proper governance and visibility of this type of use and take a least-privilege approach to key services across the business. Don't miss the latest Dark Reading Confidential podcast, How the Story of a USB Penetration Test Went Viral. Two decades ago Dark Reading posted its first blockbuster piece — a column by a pen tester who sprinkled rigged thumb drives around a credit union parking lot and let curious employees do the rest. This episode looks back at the history-making piece with its author, Steve Stasiukonis. Listen now! About the Author Jai Vijayan Contributing Writer Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year career at Computerworld, Jai also covered a variety of other technology topics, including big data, Hadoop, Internet of Things, e-voting, and data analytics. Prior to Computerworld, Jai covered technology issues for The Economic Times in Bangalore, India. Jai has a Master's degree in Statistics and lives in Naperville, Ill. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Ditch the Data Center: Understanding Flexible Cloud Infrastructure Security Management 2025 State of Malware Access More Research Webinars How Security Teams should apply Threat Intelligence into their Defenses Your Guide to Securing AI Adoption in Your Organization What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace Prompt Injection Is Just the Start: Securing LLMs in AI Systems More Webinars You May Also Like APPLICATION SECURITY Supply Chain Attack Secretly Installs OpenClaw for Cline Users by Rob Wright FEB 19, 2026 APPLICATION SECURITY Chinese Hackers Hijack Notepad++ Updates for 6 Months by Jai Vijayan, Contributing Writer FEB 02, 2026 APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 APPLICATION SECURITY Microsoft Fixes Exploited Zero Day in Light Patch Tuesday by Jai Vijayan, Contributing Writer DEC 09, 2025 Editor's Choice THREAT INTELLIGENCE From Stuxnet to ChatGPT: 20 News Events That Shaped Cyber byDark Reading Editorial Team MAY 6, 2026 31 MIN READ CYBER RISK Physical Cargo Theft Gets a Boost From Cybercriminals byRobert Lemos MAY 4, 2026 5 MIN READ CYBER RISK NSA Chief During Snowden Affair Shares Regrets, Reflections 13 Years Later byDark Reading Editorial Team APR 28, 2026 Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE RSAC 2026: key news & insights At RSAC 2026, Dark Reading captured critical intelligence on AI, new attack methods, geopolitics, and much more Get Your Recap Webinars How Security Teams should apply Threat Intelligence into their Defenses THURS, JUNE 11, 2026 AT 1PM EST Your Guide to Securing AI Adoption in Your Organization TUES, JUNE 9, 2026 AT 1PM EST What is the Right Role for Identity Threat Detection and Response (ITDR) in Your Organization? WED, JUNE 3, 2026 AT 1PM EST The New Attack Surface: How Attackers Are Exploiting OAuth to Own Your Cloud Workspace WED, JUNE 24,2026 AT 1PM EST Prompt Injection Is Just the Start: Securing LLMs in AI Systems TUES, MA