OpenClaw is being rapidly adopted open-source platform for everyday use, enabling autonomous AI agents, which emerged in late 2025, and was launched as “Clawdbot” before evolving into the OpenClaw ecosystem.

Defining OpenClaw

OpenClaw was designed to connect LLMs directly to filesystems, SaaS applications, credentials, shells and automation workflows. OpenClaw is now a symbol of how AI adoption outpaced enterprise security controls. 

Key details on vulnerabilities:

CVE-2026-44112  – TOCTOU Filesystem Write Escape CRITICAL · 9.6 

A time-of-check / time-of-use race condition in the OpenShell sandbox lets attackers redirect writes outside the sandbox boundary – enabling configuration tampering, backdoor placement, and persistent control of the host. The agent’s automated write behavior amplifies impact at runtime.

CVE-2026-44115  – Execution Allowlist Env-Vars Disclosure HIGH · 8.8 

A gap between OpenClaw’s command validation and shell execution allows environment variables – including API keys, tokens, and credentials – to be expanded inside unquoted heredocs, returning sensitive data through commands that appear safe at validation time.

CVE-2026-44118  – MCP Loopback Privilege Escalation HIGH · 7.8 

OpenClaw trusts a client-controlled ownership flag (senderIsOwner) without validating it against the authenticated session. A locally executing process with a valid bearer token can elevate itself to owner-level privileges and gain control over gateway configuration, cron scheduling, and execution environment management.

CVE-2026-44113  – TOCTOU Filesystem Read Escape HIGH · 7.7 

The same race-condition pattern in read operations lets attackers swap a validated file path with a symbolic link pointing outside the allowed mount root – exposing system files, credentials, and internal artifacts the agent was never meant to reach.

The vulnerabilities uncovered in OpenClaw are not just implementation flaws. They are symptoms of a broader shift where AI agents operate with high privilege but without the mature security boundaries traditionally enforced in enterprise systems.

Understanding these vulnerabilities is essential not only for OpenClaw users, but for anyone building or deploying agentic AI systems.

The vulnerabilities identified in OpenClaw by Cyera research reveal a fundamental breakdown across three critical security pillars:

• Isolation 
• Identity 
• Execution control 

Through TOCTOU filesystem flaws, attackers can bypass sandbox boundaries to read and write arbitrary files.

Impact of OpenClaw Vulnerabilities:

Through improper access control in the MCP loopback layer, they can escalate privileges and gain owner-level control.

If there are gaps in execution validation, they can extract sensitive data such as credentials, tokens, and configuration directly from the runtime environment.

While each vulnerability is impactful on its own, their true risk emerges when combined into a composable attack chain, when enabling attackers to move from initial influence over an agent, to gain data access, conduct privilege escalation, maintain persistence, and lastly gain full control of the runtime environment.

OpenClaw agents typically operate with broad access to internal systems, credentials, and SaaS data – often with weaker governance than the systems they connect to.
With ~65,000 (Shodan) and ~180,000 (Zoomeye) publicly accessible OpenClaw instances as of May 2026, this exposure surface is immediate and broad.

What attacker can steal

As per Agent Runtime

• Environment variables (API keys, tokens, secrets)
• Bearer tokens and authentication material
• Internal configuration and runtime artifacts

Retrieving from host filesystem

• Sensitive files reachable outside the sandbox
• System credentials and configuration files
• Internal source code and documentation
• Data accessible via connected SaaS / enterprise systems
• User prompts, outputs, and conversation history
• Privileged operations (scheduling, gateway, execution)

Cyera researchers identified and privately reported multiple vulnerabilities in OpenClaw, including sandbox escape conditions, privilege escalation, and execution allow list bypasses, through GitHub Security Advisories and coordinated disclosure channels.

• Enterprises using OpenClaw for IT support, business workflow automation, or customer-service agents.
• Development teams integrating OpenClaw with messaging platforms (Telegram, Discord, Slack), enterprise systems, or agentic tooling like Microsoft Agent 365.
• Organizations in regulated industries – financial services, healthcare, legal – where agent prompts and outputs may include PII, PHI, or privileged data.
• Any deployment where OpenClaw is exposed to the public internet without authentication or network controls in front of it.

How Intrucept can help

OpenClaw vulnerabilities demand organizations have platform to detect anomalous access patterns and data movement 

RakshaOne gives security analysts and SOC managers a clear view across the organization, helping them fully understand the extent and context of an attack. It also simplifies workflows by automatically handling alerts, allowing for faster detection of both known and unknown threats.

Identify latest threats without having to purchase, implement, and oversee several solutions or find, hire, and manage a team security analyst.

Unify latest threat intelligence and security technologies to prioritize the threats that pose the greatest risk to your company.

Here are some features we offer:

• Over 400 third-party and cloud integrations.
• More than 1,100 preconfigured correlation rules.
• Ready-to-use threat analytics, threat intelligence service feeds, and prioritization based on risk.
• Prebuilt playbooks and automated response capabilities.