The agent's own sandbox is the attack surface

OpenClaw is one of the more aggressively adopted open-source AI agent platforms in 2026. Operators run it as the core orchestration layer for autonomous agents that can read files, execute code in a managed sandbox, call tools, and talk to other agents. The Vibe Graveyard catalog already includes several OpenClaw incidents: tens of thousands of instances exposed on the public internet without authentication, a malicious-skills malware campaign abusing the plugin system, infostealer activity targeting OpenClaw configurations, and an agent-driven hit piece against an open-source maintainer. The Claw Chain disclosure is a different shape of failure: not a misconfiguration story, but a set of bugs in OpenClaw's own sandbox, identity, and execution-validation code.

Cyera Research disclosed the four vulnerabilities in mid-May 2026. The Hacker News, SecurityWeek, Cyber Security News, and The Next Web all covered the chain when it landed. The findings were reported privately to OpenClaw maintainers in April and patched in OpenClaw 2026.4.22 before the public write-up. Instances that had not upgraded by the time the advisories went live were exposed to a full read/write/escalate/persist chain that the platform's own security model was supposed to prevent.

What each CVE does

CVE-2026-44112 - sandbox write escape via TOCTOU (CVSS 9.6, Critical)

The headline bug. The OpenShell managed sandbox uses a check-then-act pattern when handling writes inside the agent's working directory: it validates that a path is inside the intended mount root, then performs the write. Between the check and the write, an attacker can swap the path target so that the write lands outside the mount root. That is the textbook time-of-check / time-of-use race, applied to the boundary that is supposed to keep the agent's code from touching the host filesystem.

In an agent platform, "writes outside the sandbox" is not a theoretical concern. It is the primary mechanism by which a misbehaving or compromised agent gets persistence on the host: dropping a file into a startup directory, modifying a binary the host runs on schedule, or replacing a configuration the orchestration layer reads at boot.

CVE-2026-44113 - sandbox read escape via TOCTOU (CVSS 7.7, High)

The read companion to 44112. Same race condition pattern, applied to file reads. An attacker can cause the sandbox to read files outside the mount root, picking up host secrets, configuration, or anything else the OpenClaw process has access to. On its own this is a serious information-disclosure bug. Chained with the other CVEs, it is the reconnaissance step that tells the attacker where to plant the persistence payload from CVE-2026-44112.

CVE-2026-44115 - API keys and tokens leak through insufficient command validation (CVSS 8.8)

The third bug lives in the command-validation layer. When the agent invokes shell commands, OpenClaw's validator was meant to prevent dangerous arguments from reaching the executor. Cyera found that the validator could be bypassed in ways that caused sensitive internal settings, including API keys and password tokens, to be returned in the command output. The vulnerability is not in the model. The vulnerability is that the system surrounding the model treats certain inputs as safe when they are not.

This is the bug that makes Claw Chain a credential-theft story rather than just a host-compromise story. An attacker who can drive the validator into the wrong path can extract the credentials that OpenClaw uses to reach external services, cloud APIs, and downstream agents. Once those credentials are out, the blast radius is no longer scoped to the host running the agent.

CVE-2026-44118 - blind trust of senderIsOwner flag (CVSS 7.8, High)

The fourth bug is in OpenClaw's identity model. The platform tracks a client-controlled flag called senderIsOwner, which is used to determine whether the caller has owner-level privileges over the agent. The implementation trusts the flag without cross-referencing it against the authenticated session. A local process with a valid bearer token can therefore claim owner status by setting the flag to true, even if the underlying authenticated identity is not actually the owner.

In agent platforms, owner-level access typically means the ability to reconfigure tools, redirect outputs, change the agent's behavior, and pull data from prior sessions. This is the privilege-escalation rung of the chain.

The chain

Cyera's writeup makes the chain explicit:

• Use CVE-2026-44113 to read configuration and credentials from outside the sandbox. This identifies the platform's secrets and gives the attacker the bearer token they need for the next step.
• Use CVE-2026-44115 to extract API keys and tokens through the agent's own command interface, expanding the credential surface and confirming what the attacker collected.
• Use CVE-2026-44118 to escalate the attacker's local process to owner-level inside OpenClaw, opening the door to configuration changes and broader tool access.
• Use CVE-2026-44112 to write attacker-controlled files outside the sandbox, planting persistence in startup paths or replacing binaries the orchestrator will execute later.

At the end of the chain, the attacker has read access to internal data, the platform's external credentials, owner-level control over the agent, and a persistent host-level foothold. SecurityWeek and TNW both highlighted that the chain is repeatable across OpenClaw deployments because the bugs sit in core components rather than in optional plugins or third-party extensions.

Exposure surface at disclosure

Cyber Security News reported approximately 245,000 publicly reachable OpenClaw instances at the time of disclosure. The Hacker News and Cyera's own writeup used the narrower figures: roughly 65,000 from Shodan and around 180,000 from Zoomeye. The discrepancy reflects how each scanner counts: some include instances behind proxies and load balancers that are nominally exposed but not directly addressable, while others restrict to direct hits on the OpenClaw default ports.

Either way, the exposed population at disclosure was in the high tens of thousands at minimum and the low hundreds of thousands at the upper bound. That is the population of OpenClaw instances that needed to upgrade to 2026.4.22 and rotate any credentials accessible to the platform on the day the public writeup landed. Earlier OpenClaw incidents covered on Vibe Graveyard - including the 135,000-instance public-exposure pattern from earlier in 2026 - suggest that a meaningful fraction of those instances are operated by people who are not actively reading agent-platform security advisories. The patch is available; whether it gets applied across the install base is a slower process.

Why this fits the Vibe Graveyard scope

This is the distinction Vibe Graveyard makes explicit in the content scope: a vulnerability in human-written code that happens to live inside AI-related software is not automatically an AI failure. SQL injection in an AI framework's admin panel is a normal SQL injection. The Claw Chain bugs are different because the failure surface is the AI agent's own execution environment. The OpenShell sandbox exists specifically to contain the actions of an autonomous agent; CVE-2026-44112 and 44113 punch holes in that containment. The command-validation layer exists specifically to keep model-driven tool calls from leaking credentials; CVE-2026-44115 bypasses it. The identity flag exists specifically to mediate owner-level agent operations; CVE-2026-44118 lets the wrong caller claim it.

Each of those four components is part of the architecture an AI agent platform has to get right in order to safely run autonomous code on someone else's behalf. When all four are broken at the same time, in ways that chain, the result is the exact failure mode the platform was supposed to prevent. That is an AI-system failure, not a generic CVE story.

The graveyard lesson

Two patterns are worth holding onto from this disclosure.

First, the most dangerous bugs in agent platforms are going to live in the bridges between the model and the host, not in the model itself. The sandbox boundary, the credential vault, the identity layer, and the validator around tool calls are the load-bearing pieces. When any one of them fails, prompt-injection-grade attacker access becomes a serious risk; when several fail in concert, the whole platform's safety story collapses.

Second, the exposure surface for agent platforms is enormous and largely unmanaged. Tens of thousands of OpenClaw instances were directly reachable from the public internet when Cyera disclosed. That is not unusual for the category; it is closer to the norm. Agent platforms get spun up as fast as the rest of the AI tooling stack and patched far more slowly. The Claw Chain CVEs were patched within roughly a month of private disclosure, which is a fast turn for an open-source maintainer team. The next question is whether the install base catches up before someone runs the chain at scale.