OpenClaw, a self-hosted AI agent runtime which has gained rapid adoption by enterprises, introduces a new type of security exposure for enterprises as dynamically executed content, external skill integrations, and cloud-based authentication mechanisms are convergent without adequate defensive control mechanisms.
The OpenClaw platform is unlike conventional applications that are constructed using fixed execution logic, as it is capable of accepting untrusted inputs, retrieving and executing third-party code modules, and interacting with connected environments with assigned credentials, effectively extending the trust boundary far beyond the application layer itself.
These architectural flexibility and the recently disclosed ClawJacked exploitation technique expose critical weaknesses in authentication handling and token protection within browser-based cloud development environments, according to security researchers.
These architectural flexibility and the recently disclosed ClawJacked exploitation technique expose critical weaknesses in authentication handling and token protection within browser-based cloud development environments, according to security researchers.
It has been demonstrated that malicious web content can exploit active developer sessions to extract sensitive access tokens, thereby granting attackers unauthorized access to source repositories, cloud infrastructures, and privileged enterprise resources.
Increasingly, organizations are integrating cloud-native development platforms into their engineering workflows. This disclosure highlights concerns regarding privilege scoping, identity isolation, and other security aspects associated with autonomous AI-powered runtime environments.
Increasingly, organizations are integrating cloud-native development platforms into their engineering workflows. This disclosure highlights concerns regarding privilege scoping, identity isolation, and other security aspects associated with autonomous AI-powered runtime environments.
A coordinated vulnerability chain, collectively known as the “Claw Chain,” was identified by Cyera researchers in response to these concerns, demonstrating how multiple vulnerabilities within OpenClaw can be combined to compromise a system, gain unauthorized access to data, and escalate privileges across affected systems.
In particular, two vulnerabilities have been assigned CVE-2026-44113 and CVE-2026-2026-44112, which contain time-of-check/time-of-use (TOCTOU) race conditions within the OpenShell managed sandbox backend, which could allow attackers to circumvent sandbox enforcement and interact with files outside of the mounted root.
In contrast to the first issue, which permits arbitrary write operations which can lead to configuration changes, backdoor installations, and long-term control over compromised hosts, the second issue provides a pathway for unauthorized disclosure of system artifacts, credentials, and sensitive internal data through unauthorized file disclosure.
Researchers also disclosed CVE-2026-44115, a vulnerability resulting from an incomplete denylist implementation that allows adversaries to conceal shell expansion tokens in heredoc payloads and execute commands that bypass runtime restrictions.
A fourth vulnerability known as CVE-2026-44118 introduces an improper access control condition in which non-owner loopback clients can impersonate privileged users to manipulate gateway configurations, alter scheduled cron operations, and gain greater control of execution environments through unauthorized use of privileged accounts.
These flaws collectively demonstrate the possibility of insufficient isolation, weak privilege boundaries, and inadequate runtime validation mechanisms within modern AI agent infrastructures resulting in a full compromise chain which can sustain stealthy and persistent access despite seemingly isolated weaknesses.
These flaws collectively demonstrate the possibility of insufficient isolation, weak privilege boundaries, and inadequate runtime validation mechanisms within modern AI agent infrastructures resulting in a full compromise chain which can sustain stealthy and persistent access despite seemingly isolated weaknesses.
OpenClaw’s rapid adoption and permissive architecture have
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: