The OpenClaw crisis is the most complete case study of agentic AI security failure. Here’s the full timeline and technical breakdown.
The OpenClaw crisis is the most complete case study of agentic AI security failure. Here’s the full timeline and technical breakdown.

The OpenClaw crisis is the most complete case study of agentic AI security failure. Here’s the full timeline and technical breakdown.

OpenClaw the open source AI agent platform with 346K+ GitHub stars had four chainable CVEs disclosed on May 15. But that was just the latest chapter. The crisis started in january and it's worse than most people realize.

The numbers

  • 245,000 instances exposed to the public internet (Shodan + ZoomEye scans)
  • 30,000+ actively compromised and used by attackers (Flare)
  • 1,184 malicious marketplace skills across 12 publisher accounts (Antiy Labs)
  • 12% of the entire ClawHub marketplace was compromised
  • 4 chainable CVEs including a CVSS 9.6 sandbox write escape (Cyera Research)
  • 9 CVEs disclosed in a 4-day window in March
  • 50,000+ instances exploitable via one-click RCE (CVE-2026-25253)

The Claw Chain (Cyera Research, May 15)

Four CVEs that chain together into a complete kill chain

  1. CVE-2026-44113 (CVSS 7.7) - TOCTOU filesystem read escape. Race condition lets you swap paths with symlinks to read outside the sandbox
  2. CVE-2026-44115 (CVSS 8.8) - Credential disclosure. Gap between command validation and shell execution leaks API keys through unquoted heredocs
  3. CVE-2026-44118 (CVSS 7.8) - MCP loopback privilege escalation. Trusts client-controlled senderIsOwner flag without session validation
  4. CVE-2026-44112 (CVSS 9.6) - Filesystem write escape. Same TOCTOU race in write ops. Backdoor placement on the host

The chain malicious plugin -> read escape + credential theft -> privilege escalation -> persistent backdoor. Every step mimics normal agent behavior. Traditional monitoring cannot distinguish this from legitimate operations.

ClawHavoc supply chain attack (Jan-Feb 2026)

  • First malicious skill appeared January 27
  • By February 5, 1,184 malicious packages identified
  • Skills disguised as crypto bots and productivity tools
  • Installed keyloggers on Windows, Atomic Stealer on macOS
  • 76 distinct malicious payloads
  • ClawHub had zero verification for skill publishers until March 26 - eight weeks after the attack started

Timeline

  • Jan 27 - First malicious skill on ClawHub
  • Feb 1 - Koi Security names "ClawHavoc"
  • Feb 3 - CVE-2026-25253 (one-click RCE) disclosed
  • Feb 5 - 1,184 malicious skills identified
  • Feb 9 - 135K exposed instances found
  • Feb 18 - 312K+ instances on default port
  • Mar 18-21 - 9 CVEs in 4 days
  • Mar 26 - ClawHub adds verified screening
  • Apr 23 - Claw Chain patches released
  • May 15 - Claw Chain research published

What this means for all AI agent deployments the underlying problems are not unique to OpenClaw

  1. Agents running with user's full credentials across every connected system
  2. Marketplace/plugin ecosystems with no security review
  3. Sandbox implementations with race condition vulnerabilities
  4. No behavioral monitoring to detect multi-step attacks that mimic normal behavior
  5. Default configs exposing agents to the internet with no auth

If you're running any AI agents in production, the OpenClaw crisis is your case study. Scan inputs at runtime. Isolate credentials per agent. Monitor behavior patterns, not just system metrics.

submitted by /u/Still_Piglet9217
[link] [comments]