Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: openclaw (1 article)Clear

OpenClaw 'Claw Chain': four sandbox-escape and priv-esc flaws on ~180K public AI agent instances (patched 2026.4.22)

Researchers at Cyera have disclosed a chain of four vulnerabilities in OpenClaw, an open-source autonomous AI agent platform that Nvidia and Tencent have built enterprise products on top of. The chain - CVE-2026-44112 (CVSS 9.6), CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118 - lets an attacker who can influence the agent's input (through a malicious plugin, prompt injection, or compromised tool output) break out of the OpenShell sandbox, read environment-stored API keys, elevate to owner-level privileges, and write persistent backdoors. Each step looks like normal agent behavior. Shodan and Zoomeye between them counted 65,000 to 180,000 public OpenClaw instances earlier in May. All flaws are fixed in OpenClaw 2026.4.22.

Check
Inventory OpenClaw, NemoClaw, and ClawPro deployments. Check installed version via --version or /api/version. Search agent logs for unexpected symlink creation or env-var reads inside heredocs.
Affected
All OpenClaw releases prior to version 2026.4.22 (April 23, 2026). Nvidia NemoClaw and Tencent ClawPro builds derived from older OpenClaw cores inherit the same flaws unless rebased.
Fix
Update to OpenClaw 2026.4.22 or later. Until then, scope the OpenShell sandbox to a read-only filesystem, strip secrets from the agent's environment, and route egress through a logging proxy.