Threat Intel

Evidence-backed findings, controls, and timeline signals for agent security work.

OpenClaw security guide

Entries

Findings

Controls

Subscribe via RSS Follow on Telegram Get email updates

findingvulnerabilityOpenClawcritical

Claw Chain: four chainable vulnerabilities in OpenClaw enable sandbox escape and privilege escalation

May 15, 2026

Cyera Research disclosed four chainable OpenClaw vulnerabilities affecting versions before the April 23, 2026 patches. The chain could let an attacker escape OpenShell sandbox constraints, exfiltrate secrets, escalate agent-runtime control, and persist.

View source

findingvulnerabilityOpenClawhigh

MCP database server back-end validation flaws expose SQL and metadata paths

May 12, 2026

Akamai research describes three database MCP server failures: SQL injection in Apache Doris MCP, SQL-capable unauthenticated paths in Apache Pinot MCP, and unauthenticated metadata exposure in Alibaba RDS MCP.

View source

findingvulnerabilityOpenClawhigh

TanStack npm supply-chain campaign targets AI developer tooling

May 12, 2026

International Cyber Digest reports that the TanStack npm compromise expanded into a reported "Mini" Shai-Hulud campaign targeting AI developer tooling across npm and PyPI, including OpenSearch, Mistral AI, Guardrails AI, UiPath, and Squawk packages.

View source

controlhardeningOpenClaw

Explicit conversation scoping for agent memory

May 8, 2026

Agent memory should be bound to explicit conversation, tenant, user, task, or workspace identifiers rather than inferred implicitly from ambient runtime state. Spring AI 1.1.6 provides fresh implementation evidence for this hardening pattern by requiring explicit conversation IDs for chat memory advisors.

View source

findingincidentOpenClawhigh

Canvas/Instructure incident shows SaaS vendor compromise becoming downstream extortion pressure

May 7, 2026

In May 2026, Instructure disclosed unauthorized access affecting part of its Canvas environment. Public reporting linked the disruption to defaced Canvas login pages and an extortion message attributed to ShinyHunters during final-exam periods.

View source

findingvulnerabilityOpenClawhigh

Semantic Kernel prompt injection flaws show agent tool calls can become host execution

May 7, 2026

Microsoft Defender Security Research disclosed two fixed Semantic Kernel flaws where prompt injection could influence trusted tool parameters, reaching Python command execution in one path and unintended host file writes in another.

View source

findingvulnerabilityOpenClawhigh

MCP STDIO command execution and tool-integrity risks affect agent infrastructure

May 4, 2026

Cloud Security Alliance summarizes MCP risks where STDIO configuration can become OS command execution, while tool poisoning, rug-pull changes, cross-server tool shadowing, and unauthenticated exposure widen agent infrastructure risk.

View source

controlhardeningOpenClaw

Careful adoption controls for agentic AI services

May 1, 2026

Joint U.S., U.K., Canadian, Australian, and New Zealand guidance warns that agentic AI systems add risk when they plan, use tools and memory, access data, or act across workflows. Treat OpenClaw-style agents as privileged software identities.

View source

findingvulnerabilityOpenClawhigh

AI coding agent runtimes concentrate credential exposure risk

Apr 30, 2026

Recent reports show a recurring AI coding-agent risk: attackers target the runtime's credentials, filesystem access, service identities, and policy gaps through setup commands, repository content, collaboration metadata, or over-broad cloud permissions.

View source

findingvulnerabilityOpenClawmedium

Vercel AI SDK ToolLoopAgent skipped runtime call option schema validation

Apr 27, 2026

A Vercel AI SDK pull request fixed a ToolLoopAgent gap where `callOptionsSchema` was documented for caller-supplied options but not enforced at runtime, allowing invalid options to reach instruction or tool-call preparation paths.

View source

findingvulnerabilityOpenClawhigh

GitHub workflow AI agents can leak credentials through comment-and-control prompt injection

Apr 15, 2026

Aonan Guan's "Comment and Control" write-up shows how attacker-controlled GitHub titles, issues, and comments can become prompt-injection channels for hosted coding agents with workflow credentials.

View source

controlsandboxingOpenClaw

Action gates and runtime guards for OpenClaw

Mar 11, 2026

Several community and vendor defenses converge on the same principle: treat agent execution as the security boundary, and require runtime guardrails or explicit approval before high-risk actions complete.

View source

controlhardeningOpenClawpreventive

OpenClaw gateway security baseline

Mar 11, 2026

Use the OpenClaw gateway security documentation as the baseline control set for local-only deployment, token-based auth, narrow DM scope, and reduced tool access.

View source

controlscannerOpenClawpreventive

ClawSec Scanner

Mar 10, 2026

ClawSec Scanner is a defensive control that combines dependency scanning, CVE enrichment, static analysis, and OpenClaw-specific dynamic testing into a single workflow.

View source

controlscannerOpenClawpreventive

ClawSec Suite

Mar 2, 2026

ClawSec Suite is a defensive monitoring and integrity package for OpenClaw. It focuses on advisory feed monitoring, affected-skill checking, signature verification, and approval-gated handling of malicious-skill scenarios.

View source

findingincidentOpenClawcritical

Malicious DeepSeek-Claw OpenClaw skill delivers Remcos RAT and GhostLoader stealer via supply chain attack

Mar 1, 2026

A threat actor published a malicious "DeepSeek-Claw" skill to the OpenClaw skill ecosystem on GitHub, exploiting developer trust in the skill marketplace to deliver Remcos RAT and GhostLoader stealer malware. The attack targeted developers and AI-driven systems using OpenClaw, leveraging supply chain poisoning of the skill publishing workflow.

View source

findingexposureOpenClawcritical

ClawJacked local API exposure can enable remote abuse and code execution

Feb 19, 2026

Oasis Security documented OpenClaw local agent API abuse via cross-origin WebSocket exploitation, allowing a website to silently control a developer's AI agent when localhost trust, rate-limit exemptions, and auto-approved device pairing are exposed.

View source

findingmalicious-skillOpenClawcritical

ClawHavoc campaign: 335 malicious OpenClaw skills distribute Atomic macOS Stealer via ClawHub

Feb 17, 2026

ClawHavoc distributed 335 malicious OpenClaw skills through ClawHub, disguising AMOS delivery as wallet, Polymarket, and YouTube utilities. Reported delivery used base64 shell scripts or password-protected ZIPs, with C2 at `91.92.242.30`.

View source

findingvulnerabilityOpenClawcritical

Endor Labs identified a cluster of exploitable OpenClaw vulnerabilities

Feb 10, 2026

Endor Labs reported that its AI SAST workflow identified seven exploitable vulnerabilities in OpenClaw and later published technical detail focused on six disclosed issues validated through exploit development and live testing.

View source

controlhardeningOpenClaw

OpenClaw security engineer cheat sheet

Feb 10, 2026

Semgrep’s cheat sheet is a practical operator-oriented control reference covering first principles, attack surface, detection, sandboxing, skill risk, and safer experimentation patterns for OpenClaw.

View source

findingexposureOpenClawcritical

Large numbers of OpenClaw instances were reported exposed to the public internet

Feb 9, 2026

A February 2026 report summarized SecurityScorecard research describing more than 40,000 publicly exposed OpenClaw instances and a large subset considered vulnerable or exploitable through remote-code-execution paths.

View source

findingincidentOpenClawhigh

OpenClaw can unintentionally fuse and publish sensitive internal data across connected systems

Feb 2, 2026

The risk is not only direct exploitation. OpenClaw can act as an integrator across multiple connected systems and combine internal data in ways the operator did not anticipate. If publication or outbound messaging is also available, that can turn ordinary retrieval into a disclosure event.

View source

findingvulnerabilityAgent: OpenClawhigh confidenceconfirmed

Claw Chain: four chainable vulnerabilities in OpenClaw enable sandbox escape and privilege escalation

Use the OpenClaw security guide

openclawtoctousandbox-escapeprivilege-escalationmcpenv-varopenclaw-gatewaychainable

Date

May 15, 2026

First Seen

2026-05-15

Last Reviewed

2026-05-18

Publisher

Cyera

Source Type

article

View source

Claw Chain: Four Chainable Vulnerabilities in OpenClaw

Summary

Why It Matters

OpenClaw's agent-mediated attack surface means a malicious plugin, prompt injection, or supply-chain compromise can serve as the initial foothold. From there, the four CVEs chain together to achieve full sandbox escape, credential theft, privilege escalation, and persistence — completing an attack path from "code inside the sandbox" to "owner-level control of the agent runtime and its secrets." This fundamentally undermines the trust boundary between agent-controlled code and the host system.

Public exposure: ~65,000–180,000 internet-facing OpenClaw servers (Shodan/Zoomeye).

Attack Chain

Foothold: Malicious plugin, prompt injection, or compromised external input achieves code execution inside the OpenShell sandbox.
Data Exfiltration: TOCTOU read escape (CVE-2026-44113) and env-var disclosure (CVE-2026-44115) expose credentials, secrets, and sensitive files beyond the agent's intended scope.
Privilege Escalation: MCP loopback flaw (CVE-2026-44118) elevates the compromised process to owner-level control of the agent runtime.
Persistence: TOCTOU write escape (CVE-2026-44112) plants backdoors, modifies configuration, or alters future agent behavior.

CVEs

CVE-2026-44112 — TOCTOU Filesystem Write Escape — CRITICAL 9.6 — Allows writing files outside the sandbox boundary via time-of-check-time-of-use filesystem race condition.
CVE-2026-44115 — Execution Allowlist Env-Vars Disclosure — HIGH 8.8 — Exposes environment variables and secrets through the execution allowlist mechanism.
CVE-2026-44118 — MCP Loopback Privilege Escalation — HIGH 7.8 — Allows a sandboxed process to escalate to owner-level control via the MCP loopback interface.
CVE-2026-44113 — TOCTOU Filesystem Read Escape — HIGH 7.7 — Allows reading files outside the sandbox boundary via filesystem race condition.

Affected versions: All OpenClaw versions prior to April 23, 2026 patches.

Affected Surface

~65,000–180,000 public-facing OpenClaw servers (Shodan/Zoomeye)
Any deployment where untrusted plugins, prompt injections, or supply-chain inputs can reach the agent runtime

GHSA References

GHSA-5h3g-6xhh-rg6p
GHSA-wppj-c6mr-83jj
GHSA-r6xh-pqhr-v4xh
GHSA-x3h8-jrgh-p8jx

MITRE ATT&CK (inferred)

T1068 — Exploitation for Privilege Escalation (MCP loopback flaw)
T1059 — Command and Scripting Interpreter (env-var disclosure abuse)
T1552 — Unsecured Credentials (exposure via environment variables)
T1574 — Hijack Execution Flow (TOCTOU write escape for persistence)

Mitigations

Immediate (24 hours):

Apply April 23, 2026 patches for all OpenClaw deployments.
Identify exposed instances via Shodan or internal scanning; rotate all reachable credentials and API keys.
Audit agent access scope and treat agents as privileged identities.

Short-term (1 week):

Review supply chain inputs and plugins before deployment.
Implement network segmentation for agent runtimes.
Enforce least-privilege for agent tool access and MCP connections.

Evidence

Cyera source (May 2026)