Cybersecurity researchers have disclosed a set of 4 security flaws in OpenClaw that could possibly be chained to attain knowledge theft, privilege escalation, and persistence.
The vulnerabilities, collectively dubbed
Claw Chain
by Cyera, can allow an attacker to determine a foothold, expose delicate knowledge, and plant backdoors. A quick description of the failings is beneath –
-
CVE-2026-44112
(CVSS rating: 9.6/6.3) – A time-of-check/time-of-use (TOCTOU) race situation vulnerability within the
OpenShell
managed sandbox backend that permits attackers to bypass sandbox restrictions and redirect writes exterior the meant mount root. -
CVE-2026-44113
(CVSS rating: 7.7/6.3) – A TOCTOU race situation vulnerability in OpenShell that permits attackers to bypass sandbox restrictions and browse information exterior the meant mount root. -
CVE-2026-44115
(CVSS rating: 8.8) – An incomplete checklist of disallowed inputs vulnerability that permits attackers to bypass allowlist validation by embedding shell enlargement tokens in a
right here doc
(heredoc) physique to execute unapproved instructions at runtime. -
CVE-2026-44118
(CVSS rating: 7.8) – An improper entry management vulnerability that might permit non-owner loopback shoppers to impersonate an proprietor to raise their privileges and achieve management over gateway configuration, cron scheduling, and execution setting administration.
Cyera mentioned profitable exploitation of CVE-2026-44112 might permit an attacker to tamper with configuration, plant backdoors, and set up persistent management over the compromised host, whereas CVE-2026-44113 could possibly be weaponized to learn system information, credentials, and inner artifacts.
The exploitation chain unfolds over 4 steps –
- A malicious plugin, immediate injection, or compromised exterior enter good points code execution contained in the OpenShell sandbox.
- Leverage CVE-2026-44113 and CVE-2026-44115 to show credentials, secrets and techniques, and delicate information.
- Exploit CVE-2026-44118 to acquire owner-level management of the agent runtime.
- Use CVE-2026-44112 to plant backdoors or make configuration adjustments and arrange persistence.
The basis trigger for CVE-2026-44118, per the cybersecurity firm, stems from the truth that OpenClaw trusts a client-controlled possession flag known as senderIsOwner, which alerts whether or not the caller is permitted for owner-only instruments, with out validating it in opposition to the authenticated session.
“The MCP loopback runtime now points separate proprietor and non-owner bearer tokens and derives senderIsOwner solely from which token authenticated the request,” OpenClaw detailed the fixes in an advisory for the flaw. “The spoofable sender-owner header is now not emitted or trusted.”
Following accountable disclosure, all 4 vulnerabilities have been addressed in OpenClaw model 2026.4.22. Safety researcher Vladimir Tokarev has been credited with discovering and reporting the problems. Customers are suggested to replace to the most recent model to remain protected in opposition to potential threats.
“By weaponizing the agent’s personal privileges, an adversary strikes by means of knowledge entry, privilege escalation, and persistence — utilizing the agent as their palms contained in the setting,” Cyera mentioned. “Every step appears like regular agent habits to conventional controls, broadening blast radius and making detection considerably more durable.”
