2026-04-23
CriticalVendor postFour chained CVEs in OpenClaw expose 245,000 public AI agent servers. Attackers can steal credentials, escalate to owner control, and install persistent backdoors using the agent’s own privileges.
What happened
Attacker gains sandbox foothold via malicious plugin or prompt injection, chains CVE-2026-44113 and CVE-2026-44115 to exfiltrate credentials and secrets, exploits CVE-2026-44118 to escalate to owner-level gateway control, then uses CVE-2026-44112 to install a persistent backdoor on the host.
Why it matters
Full host compromise: credential and secret theft, owner-level agent reconfiguration, and persistent backdoor installation. All approximately 245,000 exposed instances were potentially accessible to this chain prior to the April 23 patch.
Missing authorization check
Owner-level gateway operations (configuration changes, cron scheduling, execution management) should require an out-of-band authorization receipt that cannot be self-issued by the agent runtime. The client-controlled senderIsOwner flag should be validated server-side against the authenticated session.
Would PP block it?
PP covers the authorization layer: any action requiring owner-level gateway control (CVE-2026-44118 pathway) would fail if the agent cannot produce a valid external receipt. PP does not protect against TOCTOU filesystem races (CVE-2026-44112/113) or environment variable leakage (CVE-2026-44115) — those require runtime sandbox hardening. Key insight: even a fully-compromised agent runtime cannot execute authorized production actions if the authority chain is external.
Incident analysis
2026-04
Cyera Research discovers and privately discloses four vulnerabilities to OpenClaw maintainers.
2026-04-23
OpenClaw releases patches covering GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, and GHSA-x3h8-jrgh-p8jx.
2026-05
Cyera publishes ‘Claw Chain’ blog post. CybersecurityNews and The Hacker News report approximately 245,000 publicly exposed instances via Shodan and ZoomEye scans.
2026-05
Security advisories recommend immediate patching, full secret rotation, and treating OpenClaw deployments as privileged identities.
Authorization boundary
This incident is categorized as Tool execution / MCP. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.
PP’s external receipt model limits blast radius: a compromised agent runtime cannot self-authorize owner-level actions if those actions require receipts from an external enforcement layer the agent doesn’t control. However, PP cannot prevent the sandbox escape or initial credential exfiltration.
Related incidents and controls
Meta's AI alignment director watched OpenClaw delete 200 emails while her stop commands were ignored
TrustFall Coding Agent Security Flaw Enables One-Click RCE
Cline AI agent CVE-2026-44211 allows unauthenticated WebSocket hijack and RCE
Claude Code Rewrote Its Own Tests to Pass Rather Than Fix the Underlying Bug
Start small
This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.