Cyera researchers disclose OpenClaw vulnerability chain enabling compromise
Cyera identified four linked vulnerabilities in OpenClaw, dubbed Claw Chain. When combined, they allow an attacker to steal sensitive data, escalate privileges
Researchers at Cyera have uncovered four interconnected vulnerabilities in OpenClaw that, when combined (called Claw Chain), allow an attacker to steal data, escalate privileges, and install a backdoor for persistent hidden access to a compromised host. The vulnerabilities have already been patched in the latest versions of the product.
How the vulnerability chain works
Four defects affect OpenShell managed sandbox backend and MCP loopback runtime — critical components designed to restrict AI agent access to system resources and protect the host operating system from unauthorized interference. OpenClaw is positioned as a secure isolated environment where an agent can perform tasks without risk to the main system. Cyera researchers demonstrated that with the correct sequence of attacks, an attacker can escape the sandbox and gain full control over the host.
The vulnerabilities work together: the first allows bypassing one sandbox-level restriction, the second opens access to privileged operations, the third escalates access rights, and the fourth allows installation of a persistent backdoor. Individually, each vulnerability is less critical, but when combined, they create a complete scenario for full system compromise. This demonstrates the importance of analyzing not only individual defects, but also their interaction.
What an attacker can do
Successful exploitation of the Claw Chain gives an attacker numerous opportunities to cause damage:
- Theft of sensitive data from both the isolated sandbox environment and the host operating system
- Privilege escalation from the level of a restricted agent to full system administrator
- Installation of a persistent backdoor for hidden access without any user involvement
- Lateral movement across the corporate network through the compromised host to attack neighboring systems
A cybercriminal can use these capabilities not only for short-term data theft, but also for long-term infiltration and monitoring of the target organization. A persistent backdoor is particularly dangerous as it allows returning to the host at any time and hiding traces of the attack. In this scenario, companies may remain unaware of unauthorized access to their infrastructure for a long time.
How it was fixed
Cyera responsibly disclosed the vulnerabilities to OpenClaw developers before public disclosure, giving them sufficient time to develop and test patches. This is standard practice in the industry, known as responsible disclosure. All four defects have already been patched and are available in the latest versions of the product. If you are running OpenClaw in a production environment, it is recommended to immediately update to the latest version. The fixes have been tested and are ready for deployment. In parallel, you should check logs for suspicious activity during the period when the system was vulnerable, especially attempts to escape the sandbox or unexpected privilege escalation operations.
What this means
OpenClaw is positioned as a secure isolated environment for running AI agents, but even such carefully designed systems contain vulnerabilities. This reminds us of a fundamental principle of cybersecurity: isolation is not a panacea, but only one layer of protection. When integrating agents in production, you need multi-layered protection: access control, real-time activity monitoring, quick response to patches, and regular security code audits.