Notifications
Clear all
Topic starter
02/06/2026 6:53 pm
TL;DR: Cyera Research identified four chainable vulnerabilities in OpenClaw that can expose secrets, escalate privileges, and enable persistence through agent-mediated entry paths such as prompt injection and malicious plugins, with a highest CVSS of 9.6 and about 65,000 to 180,000 public instances cited. The security model for autonomous agents now has to treat the runtime itself as privileged infrastructure, not just another integration layer.
NHIMG editorial — based on content published by Cyera: Claw Chain, Cyera Research's analysis of four chainable vulnerabilities in OpenClaw
By the numbers:
- The highest CVSS score was 9.6 for CVE-2026-44112.
Questions worth separating out
Q: How should security teams reduce risk when AI agents can access secrets and execute commands?
A: Security teams should limit each agent to the smallest possible execution scope, then separate read, write, and scheduling permissions so one foothold cannot become persistence.
Q: Why do AI agent runtimes create more governance risk than ordinary service accounts?
A: AI agent runtimes can combine decision-making, tool use, and secret access in one execution path, so a single trust failure can cause data exposure and operational change.
Q: What breaks when sandbox validation does not match actual execution in agent systems?
A: When validation and execution diverge, attackers can exploit race conditions, shell expansion, or client-trusted flags to cross boundaries the system thought were protected.
Practitioner guidance
- Patch exposed agent runtimes first Apply the vendor's fixed versions, then inventory any internet-facing deployments and put them behind authentication or network controls before deeper tuning.
- Rotate secrets reachable by the agent Assume environment variables, bearer tokens, API keys, and credentials accessible to the runtime are compromised and rotate them immediately.
- Treat agent access like privileged identity Map every data source, command path, and scheduling or configuration capability the agent can reach, then reduce scope aggressively.
That is why NHI and IAM teams should collapse AI agent governance into their existing privileged identity model, supported by the OWASP Non-Human Identity Top 10?
👉 Read Cyera's research on chainable OpenClaw vulnerabilities and AI agent risk →
Explore further
02/06/2026 7:06 pm
Agent runtimes are becoming privileged identities, not just application components. Once an AI agent can read files, call tools, and act on behalf of connected systems, it inherits the governance burden of a service account plus the execution risk of a code runner. That combination creates a broader blast radius than traditional app integrations because the identity and the action surface are fused. Practitioners should govern the agent runtime as a high-risk non-human identity.
A few things that frame the scale:
- The average estimated time to remediate a leaked secret is 27 days, despite 75% of organisations expressing strong confidence in their secrets management capabilities, according to The State of Secrets in AppSec.
- Only 44% of developers are reported to follow security best practices for secrets management, exposing a significant developer behaviour gap.
A question worth separating out:
Q: What should teams do in the first 24 to 72 hours after discovering a compromised AI agent runtime?
A: Contain the instance, disable external access, rotate all reachable secrets, and review whether any scheduling, configuration, or file-write paths were abused. Then hunt for adjacent instances using the same plugin chain or access pattern. The first response objective is to stop the agent from continuing to act as an attacker-controlled identity.
👉 Read our full editorial: OpenClaw chainable flaws expose the agent runtime as an attack surface
