Cybersecurity researchers have disclosed a set of 4 safety flaws in OpenClaw that might be chained to attain information theft, privilege escalation, and persistence.
The vulnerabilities, collectively dubbed
Claw Chain
by Cyera, can allow an attacker to determine a foothold, expose delicate information, and plant backdoors. A short description of the failings is under –
-
CVE-2026-44112
(CVSS rating: 9.6/6.3) – A time-of-check/time-of-use (TOCTOU) race situation vulnerability within the
OpenShell
managed sandbox backend that permits attackers to bypass sandbox restrictions and redirect writes exterior the meant mount root. -
CVE-2026-44113
(CVSS rating: 7.7/6.3) – A TOCTOU race situation vulnerability in OpenShell that permits attackers to bypass sandbox restrictions and skim recordsdata exterior the meant mount root. -
CVE-2026-44115
(CVSS rating: 8.8) – An incomplete record of disallowed inputs vulnerability that permits attackers to bypass allowlist validation by embedding shell enlargement tokens in a
right here doc
(heredoc) physique to execute unapproved instructions at runtime. -
CVE-2026-44118
(CVSS rating: 7.8) – An improper entry management vulnerability that might enable non-owner loopback shoppers to impersonate an proprietor to raise their privileges and acquire management over gateway configuration, cron scheduling, and execution atmosphere administration.
Cyera stated profitable exploitation of CVE-2026-44112 might enable an attacker to tamper with configuration, plant backdoors, and set up persistent management over the compromised host, whereas CVE-2026-44113 might be weaponized to learn system recordsdata, credentials, and inner artifacts.
The exploitation chain unfolds over 4 steps –
- A malicious plugin, immediate injection, or compromised exterior enter positive aspects code execution contained in the OpenShell sandbox.
- Leverage CVE-2026-44113 and CVE-2026-44115 to show credentials, secrets and techniques, and delicate recordsdata.
- Exploit CVE-2026-44118 to acquire owner-level management of the agent runtime.
- Use CVE-2026-44112 to plant backdoors or make configuration modifications and arrange persistence.
The foundation trigger for CVE-2026-44118, per the cybersecurity firm, stems from the truth that OpenClaw trusts a client-controlled possession flag known as senderIsOwner, which alerts whether or not the caller is permitted for owner-only instruments, with out validating it towards the authenticated session.
“The MCP loopback runtime now points separate proprietor and non-owner bearer tokens and derives senderIsOwner solely from which token authenticated the request,” OpenClaw detailed the fixes in an advisory for the flaw. “The spoofable sender-owner header is now not emitted or trusted.”
Following accountable disclosure, all 4 vulnerabilities have been addressed in OpenClaw model 2026.4.22. Safety researcher Vladimir Tokarev has been credited with discovering and reporting the problems. Customers are suggested to replace to the most recent model to remain protected towards potential threats.
“By weaponizing the agent’s personal privileges, an adversary strikes by way of information entry, privilege escalation, and persistence — utilizing the agent as their arms contained in the atmosphere,” Cyera stated. “Every step seems like regular agent conduct to conventional controls, broadening blast radius and making detection considerably tougher.”
