Cybersecurity researchers have uncovered four critical security vulnerabilities in OpenClaw that can be chained together to facilitate data theft, privilege escalation, and long-term persistence on compromised systems.
The vulnerabilities, collectively named “Claw Chain” by Cyera, allow attackers to gain an initial foothold, extract sensitive information, elevate privileges, and implant backdoors while blending in with normal agent activity.
Details of the Vulnerabilities
The newly disclosed flaws include:
- CVE-2026-44112 (CVSS: 9.6/6.3) – A time-of-check/time-of-use (TOCTOU) race condition in the OpenShell managed sandbox backend that enables attackers to bypass sandbox restrictions and redirect file writes outside the intended mount root.
- CVE-2026-44113 (CVSS: 7.7/6.3) – Another TOCTOU race condition vulnerability in OpenShell that can be exploited to read files outside the designated sandbox environment.
- CVE-2026-44115 (CVSS: 8.8) – An incomplete disallowed-input validation issue that lets attackers bypass allowlist protections by embedding shell expansion tokens within heredoc bodies, ultimately executing unauthorized commands at runtime.
- CVE-2026-44118 (CVSS: 7.8) – An improper access control flaw that allows non-owner loopback clients to impersonate legitimate owners, leading to elevated privileges and unauthorized control over gateway configurations, cron jobs, and execution environments.
According to researchers, successful exploitation of CVE-2026-44112 could allow threat actors to modify configurations, install backdoors, and maintain persistent access on compromised hosts. Meanwhile, CVE-2026-44113 could be abused to access system files, credentials, and other sensitive internal data.
How the “Claw Chain” Attack Works
Researchers explained that the full exploitation chain unfolds in four stages:
- A malicious plugin, prompt injection, or compromised external input achieves code execution within the OpenShell sandbox.
- Attackers exploit CVE-2026-44113 and CVE-2026-44115 to access credentials, secrets, and sensitive files.
- CVE-2026-44118 is leveraged to gain owner-level control of the agent runtime.
- Finally, attackers use CVE-2026-44112 to establish persistence by planting backdoors or modifying system configurations.
Root Cause of the Privilege Escalation Flaw
Researchers stated that the root cause behind CVE-2026-44118 lies in OpenClaw’s reliance on a client-controlled ownership flag named senderIsOwner. The application trusted this flag to determine whether a caller had permission to access owner-only tools, without properly validating it against the authenticated session.
In response, OpenClaw developers updated the MCP loopback runtime to issue separate bearer tokens for owner and non-owner users. The platform now derives ownership status directly from the authenticated token rather than trusting spoofable client headers.
Patches Released in OpenClaw 2026.4.22
Following responsible disclosure, all four vulnerabilities have been patched in OpenClaw version 2026.4.22.
Security researcher Vladimir Tokarev has been credited with discovering and reporting the issues.
Users and organizations running vulnerable versions of OpenClaw are strongly advised to upgrade immediately to reduce the risk of exploitation.
Why the Attack Is Difficult to Detect
Cyera warned that the attack chain is especially dangerous because attackers effectively weaponize the AI agent’s own privileges.
“By weaponizing the agent’s own privileges, an adversary moves through data access, privilege escalation, and persistence — using the agent as their hands inside the environment,” the company said.
Because each action appears to be legitimate agent behavior, traditional security controls may struggle to detect malicious activity, potentially increasing the blast radius of an attack.
