A collection of security vulnerabilities in the popular autonomous AI agent OpenClaw has put thousands of servers at risk. Security experts at the firm Cyera recently found four distinct vulnerabilities in the AI agent, which was originally launched under the name Clawdbot in late 2025. Reportedly, hackers can link these flaws together to compromise systems, steal private data, and establish permanent access.
OpenClaw helps businesses automate tasks by connecting smart computer programs directly to internal files, messaging apps like Telegram, and office systems like Microsoft Agent 365. According to researchers, these flaws create a major problem because “AI agents have become a primary execution surface, and the security model around them has not caught up.”
How the Vulnerabilities Work
Collectively, the vulnerabilities are called Claw Chain. As per the findings from researchers at Cyera, who discovered and reported Claw Chain, the issues affect all versions of OpenClaw released before the April 23, 2026, patches.
Within Claw Chain, CVE-2026-44112 is the most dangerous one, having been assigned a critical severity score of 9.6 out of 10. It is a timing error in the OpenShell sandbox system (a restricted security environment that safely isolates running programs). It basically allows hackers to evade safe boundaries and install permanent backdoors on the system.
Further probing revealed that this error works hand-in-hand with another high-severity vulnerability, CVE-2026-44113, CVSS 7.7. This second flaw lets hackers swap safe file paths with symbolic links (virtual pointers that direct a system to a file located elsewhere), exposing restricted system files.
The remaining two vulnerabilities are also ranked at a high severity level and target identity and data collection. One of them, CVE-2026-44115, has a severity score of 8.8 and leaks secret internal settings, API keys, and password tokens because of a gap in how commands are checked before they run.
The fourth one, CVE-2026-44118, has a severity score of 7.8 and a local digital process to bypass identity checks by manipulating a validation flag (a digital marker used by systems to verify permissions) called senderIsOwner, letting hackers trick the program into giving them owner-level control (admin access).
By combining these, cybercriminals can make the AI agents work against their owners by using them as “their hands inside the environment,” researchers noted, which makes the attack undetectable because the malicious actions look exactly like normal computer tasks.
Fixing the Issues
The threat is widespread, given that in May 2026, research showed between 65,000 and 180,000 OpenClaw servers connected to the public internet. While no specific threat actors have been blamed for using these vulnerabilities yet, companies using the software for customer service or IT support face the highest risk, including banks and healthcare firms that handle private data.
Fortunately, OpenClaw creators already fixed the issues with patches released on April 23, 2026. Experts noted that businesses should update immediately and change all their passwords and keys right away, as hackers may have already copied them.
Expert’s Insights
In a comment shared with Hackread.com, Justin Fier, Senior Vice President of Offensive Security at Darktrace, noted that tools like OpenClaw are risky even without specific vulnerabilities because they have broad access to filesystems and command lines. Fier warned that if an attacker manages to compromise an agent, it serves as “the perfect initial access point, and then the perfect tool to move throughout a network.”
This level of control poses a dual threat to both individuals and corporations. “For personal users, this is a privacy nightmare,” Fier explained, noting that users often grant broad access to financial data, health data, and private files. However, “the enterprise risk begins when that same personal agent touches work systems, work credentials, or a business device. Then the question becomes: is the real target the organization, or the personal end user as a means of getting into that organization?”
The core challenge comes down to tracking identity on the network. Fier stated that “identity is everything in this new world of agents. If an organization cannot tell the difference between a human and an agent, it has a serious problem.”
He concluded that to a security operations centre, an agent may look like a legitimate human user, meaning defenders must know “whether it was the person, the agent acting on that person’s behalf, or an attacker abusing the agent,” and cautioned that “organizations need a strong IAM foundation before they give agentic tools broad access.”
