OpenClaw, a self-hosted AI agent runtime which has gained rapid adoption by enterprises, introduces a new type of security exposure for enterprises as dynamically executed content, external skill integrations, and cloud-based authentication mechanisms are convergent without adequate defensive control mechanisms.
The OpenClaw platform is unlike conventional applications that are constructed using fixed execution logic, as it is capable of accepting untrusted inputs, retrieving and executing third-party code modules, and interacting with connected environments with assigned credentials, effectively extending the trust boundary far beyond the application layer itself.
These architectural flexibility and the recently disclosed ClawJacked exploitation technique expose critical weaknesses in authentication handling and token protection within browser-based cloud development environments, according to security researchers.
It has been demonstrated that malicious web content can exploit active developer sessions to extract sensitive access tokens, thereby granting attackers unauthorized access to source repositories, cloud infrastructures, and privileged enterprise resources.
Increasingly, organizations are integrating cloud-native development platforms into their engineering workflows. This disclosure highlights concerns regarding privilege scoping, identity isolation, and other security aspects associated with autonomous AI-powered runtime environments.
A coordinated vulnerability chain, collectively known as the "Claw Chain," was identified by Cyera researchers in response to these concerns, demonstrating how multiple vulnerabilities within OpenClaw can be combined to compromise a system, gain unauthorized access to data, and escalate privileges across affected systems.
In particular, two vulnerabilities have been assigned CVE-2026-44113 and CVE-2026-2026-44112, which contain time-of-check/time-of-use (TOCTOU) race conditions within the OpenShell managed sandbox backend, which could allow attackers to circumvent sandbox enforcement and interact with files outside of the mounted root.
In contrast to the first issue, which permits arbitrary write operations which can lead to configuration changes, backdoor installations, and long-term control over compromised hosts, the second issue provides a pathway for unauthorized disclosure of system artifacts, credentials, and sensitive internal data through unauthorized file disclosure.
Researchers also disclosed CVE-2026-44115, a vulnerability resulting from an incomplete denylist implementation that allows adversaries to conceal shell expansion tokens in heredoc payloads and execute commands that bypass runtime restrictions.
A fourth vulnerability known as CVE-2026-44118 introduces an improper access control condition in which non-owner loopback clients can impersonate privileged users to manipulate gateway configurations, alter scheduled cron operations, and gain greater control of execution environments through unauthorized use of privileged accounts.
These flaws collectively demonstrate the possibility of insufficient isolation, weak privilege boundaries, and inadequate runtime validation mechanisms within modern AI agent infrastructures resulting in a full compromise chain which can sustain stealthy and persistent access despite seemingly isolated weaknesses.
OpenClaw's rapid adoption and permissive architecture have contributed to its rapid transformation from a niche automation framework into a widely deployed AI-driven orchestration environment, further amplifying its security implications.
In late 2025, Austrian engineer Peter Steinberger released a public version of the project that gained wide traction because of its unique capability to provide custom automation capabilities outside of tightly controlled commercial ecosystems.
The OpenClaw assistant does not rely on vendor-defined integrations, but rather allows users to develop, modify, and distribute executable "skills."
The result is a large repository containing thousands of automation scenarios developed by the community without centrally managing, categorizing, or validating their security.
Due to its “self-hackability” design, where configurations, memory stores, and executable logic are maintained using local Markdown-based structures that can be modified by the user, it has attracted both developer interest and growing scrutiny from security researchers concerned about the absence of hardened trust boundaries.
It was discovered that hundreds of OpenClaw administrative interfaces were accessible over the internet and did not require authentication. These concerns escalated.
Investigations revealed that improperly configured reverse proxies could forward external traffic through localhost-trusted channels, causing the platform to mistakenly treat remote requests as privileged local connections.
Security researcher Jamieson O'Reilly demonstrated the severity of the issue by gaining access to sensitive assets such as credentials for Anthropic APIs, Telegram bot tokens, Slack environments, and archived conversations.
Further research revealed that prompt injection attacks could be used to manipulate the agent to perform unintended behavior by embedding malicious instructions in emails, files, or web content processed by the underlying large language model.
One such scenario was demonstrated by Matvey Kukuy's delivery of crafted email payloads which coerced the bot to provide private cryptographic keys from the host environment upon receiving instructions to review inbox contents.
Several independent experiments have demonstrated the system discloses confidential email data, exposes the contents of home directories via automated shell commands, and searches local storage automatically after receiving psychologically manipulative prompts.
In aggregate, these incidents illustrate an industry concern that autonomous AI agents operating with wide filesystem visibility, persistent memory, and delegated execution privileges may be highly susceptible to indirect command manipulation when deployed in a manner that does not adhere to strict authentication controls, runtime isolation, and contextual validation controls.
Despite the fact that there is no publicly verified link to any known advanced persistent threat group linking the exploitation of the OpenClaw vulnerabilities, security analysts note that the operational characteristics of the attack are in line with tradecraft commonly utilized in credential theft, browser hijacking, and adversary-in-the-middle intrusion campaigns.
MITRE ATT&CK framework techniques, including T1185 related to browser session hijacking as well as T1557 related to man-in-the-middle attacks, have been identified as parallel techniques, and both of these techniques are frequently used in targeted attacks against enterprise authentication systems and cloud-based environments.
There has been a growing concern that financially motivated threat actors and state-aligned operators may incorporate the technique into broader intrusion toolsets due to the availability of publicly available proof-of-concept exploit methods and the relatively low complexity required to weaponize these flaws.
It was discovered that all versions of OpenClaw and Clawdbot before version 2026.2.2, including all builds up to version 2026.2.1, have been vulnerable to the vulnerability. Researchers stated that in the updated version, unauthorized WebSocket interactions are restricted and authentication checks are enforced on the exposed /cdp interface, which previously permitted unsafe assumptions regarding local trust.
During the deployment of immediate patches, security teams are advised to monitor for suspicious localhost WebSocket activity, unauthorized browser extension behaviors, and attempts to communicate outbound via ws://127.0.0.1:17892/cdp or infrastructure controlled by known attackers.
When rapid patching is an operational challenge, experts recommend that the OpenClaw browser extension be temporarily disabled, that host-level firewall restrictions be enforced around local WebSocket services, and that browser session telemetry and endpoint indicators of compromise be continuously reviewed to determine if there has been an unauthorized persistence of credentials or credential interception.
OpenClaw's vulnerability chain is a reflection of an overall security reckoning taking place in the rapidly expanding AI agent ecosystem, in which convenience-driven automation is outpacing the maturation of defensive safeguards designed to contain it in a rapidly expanding ecosystem.
There is an increasing tendency for autonomous assistants to gain access to developer environments, authentication tokens, local storage, messaging platforms, and cloud infrastructure, so that the traditional boundaries between trusted execution and untrusted input are being eroded.
Platforms with the ability to self-modify, delegate command execution, and persist contextual memory present significant security risks that are fundamentally different from conventional software, particularly when deployed with excessive privileges and inadequate isolation during runtime.
Despite the fact that OpenClaw's vulnerabilities may be mitigated by patching, access restrictions, and stronger authentication enforcement, the incident emphasizes the larger industry concern that artificial intelligence-driven operational tools may become a high value target for both cybercriminals and advanced intrusion groups in the very near future.
These findings serve as a reminder that, as organizations adopt autonomous AI systems, security architecture, privilege segmentation, and continuous monitoring must no longer be overlooked.
