thehackernews.com web signal

Cyera exposes OpenClaw CVE chain hitting 245K AI servers

agents cybersecurity ai-security agentic-ai vulnerability

Key insights

  • Four chained CVEs in OpenClaw allow full host takeover starting from a single malicious plugin or prompt injection entry point.
  • CVE-2026-44112, scored CVSS 9.6, exploits a sandbox TOCTOU race condition enabling persistent backdoor placement and config tampering.
  • Cyera identified roughly 245,000 publicly reachable OpenClaw instances via Shodan and ZoomEye scans at time of disclosure.

Why this matters

AI agent frameworks like OpenClaw are increasingly embedded in enterprise production systems, meaning vulnerabilities in their plugin and sandbox layers carry supply-chain-level blast radius across every application built on top of them. The TOCTOU race condition at the core of this chain is a class of flaw that static security scanning routinely misses, which means similar vulnerabilities almost certainly exist undisclosed in other agent frameworks today. With 245,000 public instances as a concrete exposure count, the AI agent security market now has a numbered attack surface that converts theoretical risk into measurable liability for security teams and insurers alike.

Summary

Cyera researchers disclosed four chained vulnerabilities in OpenClaw, a widely deployed open-source AI agent framework, all patched in version 2026.4.22 after April 2026 responsible disclosure. Shodan and ZoomEye scans put roughly 245,000 publicly reachable instances at risk from unpatched deployments. The attack chain begins from a single foothold -- a malicious plugin or a prompt injection -- and escalates to full host control. The anchor flaw, CVE-2026-44112 (CVSS 9.6), is a sandbox TOCTOU race condition that enables config tampering and persistent backdoor placement when chained with three lower-severity flaws. Essentially: Cyera (researcher) and OpenClaw maintainers navigated a high-severity coordinated disclosure with 245,000 exposed servers in the crosshairs. - CVE-2026-44112 (CVSS 9.6): sandbox race condition enabling persistent backdoor placement and config tampering. - Full chain allows privilege escalation, credential and file exfiltration, and persistent host control from one entry point. - All four CVEs are patched in OpenClaw 2026.4.22. AI agent frameworks are now production infrastructure at scale, and their plugin and prompt-injection attack surfaces remain largely unaudited by the security community.

Potential risks and opportunities

Risks

  • Organizations running unpatched OpenClaw instances face credential exfiltration and persistent host compromise if threat actors begin mass-scanning for CVE-2026-44112 before patch adoption reaches critical mass in the next 30 to 60 days
  • OpenClaw maintainers and enterprise vendors who bundled the framework in managed products face potential liability exposure if pre-patch exploitation is confirmed, given the documented April 2026 responsible disclosure timeline
  • Other AI agent framework vendors face accelerated regulatory and customer pressure to establish formal CVE programs and sandbox security audits within the next 60 to 90 days, raising compliance costs across the ecosystem

Opportunities

  • AI runtime security vendors (Protect AI, Robust Intelligence, Pillar Security) can use this disclosure to accelerate enterprise sales cycles around agent sandbox monitoring and plugin integrity verification
  • Cybersecurity firms with established AI red-team practices (NCC Group, Trail of Bits) can launch framework vulnerability assessment services targeting the TOCTOU and plugin-chain attack class now validated at scale
  • Cloud providers hosting OpenClaw workloads (AWS, Azure, GCP) have an opening to differentiate managed AI infrastructure offerings with automated patch enforcement and workload isolation specifically marketed to agent framework operators

What we don't know yet

  • Whether other major AI agent frameworks (LangChain, AutoGPT, CrewAI) have been audited for the same class of TOCTOU sandbox flaws following this disclosure
  • No threat actor has been publicly named as actively exploiting the Claw Chain in the wild as of May 2026, leaving observed exploitation status unconfirmed
  • Patch adoption rate across the 245,000 exposed instances has not been reported by Cyera or OpenClaw maintainers, so actual residual exposure remains unquantified

Originally reported by thehackernews.com

Read the original article →

Original headline: Cyera Discloses 'Claw Chain': Four Chainable CVEs in OpenClaw AI Agent Framework Expose 245,000 Public Servers to Data Theft, Privilege Escalation, and Backdoor Persistence