Cybersecurity researchers have unveiled a critical chain of four vulnerabilities within the OpenClaw platform, collectively named “Claw Chain.” These flaws, discovered by Cyera, could allow attackers to steal sensitive data, escalate their privileges, and establish persistent access within a compromised system. The successful exploitation of these vulnerabilities creates a significant risk for organizations relying on OpenClaw for their operational security.
The disclosure, made on May 15, 2026, highlights a sophisticated attack vector that can facilitate unauthorized data access and persistent control. The vulnerabilities were identified and reported by security researcher Vladimir Tokarev. OpenClaw has since released a patch, version 2026.4.22, to address these significant security concerns.
The Claw Chain Vulnerabilities and Their Impact
The Claw Chain is comprised of four distinct vulnerabilities, each contributing to a broader attack strategy. The most severe, CVE-2026-44112 (CVSS score: 9.6/6.3), is a time-of-check/time-of-use (TOCTOU) race condition within the OpenShell managed sandbox backend. This flaw allows attackers to circumvent sandbox restrictions, enabling them to redirect file writes outside of the intended mount root. This capability can be leveraged to tamper with configurations, plant backdoors, and maintain persistent control over a compromised host.
Complementing this is CVE-2026-44113 (CVSS score: 7.7/6.3), another TOCTOU race condition in OpenShell. This vulnerability allows attackers to bypass sandbox restrictions and gain unauthorized read access to files located outside the designated mount root. Successful exploitation of this flaw could lead to the exposure of system files, sensitive credentials, and internal company artifacts, significantly increasing the potential damage of a breach.
Further compounding the risk is CVE-2026-44115 (CVSS score: 8.8), an incomplete list of disallowed inputs vulnerability. This flaw permits attackers to bypass allowlist validation mechanisms. By embedding shell expansion tokens within a “here document” (heredoc) body, attackers can execute unapproved commands at runtime, circumventing standard security protocols.
The final piece of the chain is CVE-2026-44118 (CVSS score: 7.8), an improper access control vulnerability. This flaw could enable non-owner loopback clients to impersonate an owner, thereby escalating their privileges. This would grant them control over critical functions such as gateway configuration, cron scheduling, and the execution environment management, providing an attacker with substantial control over the affected system.
Exploitation Pathway of the Claw Chain
According to Cyera, the exploitation of the Claw Chain follows a four-step progression, forming a cohesive attack chain. The initial entry point can be achieved through various means, including a malicious plugin, prompt injection, or a compromised external input that gains code execution within the OpenShell sandbox. Once inside, the attacker leverages CVE-2026-44113 and CVE-2026-44115 to exfiltrate credentials, secrets, and other sensitive files.
The next crucial step involves exploiting CVE-2026-44118 to obtain owner-level control over the agent runtime. This privilege escalation is critical for the subsequent stages of the attack. Finally, CVE-2026-44112 is used to plant backdoors or implement configuration changes, thereby establishing persistence and ensuring continued unauthorized access to the compromised environment. The researchers emphasize that each step in this chain can appear as normal agent behavior to traditional security controls, making detection considerably more challenging.
Root Cause and Mitigation Efforts
Cyera identified the root cause for CVE-2026-44118 as OpenClaw’s previous trust in a client-controlled ownership flag named “senderIsOwner.” This flag indicated whether a caller was authorized for owner-only tools without proper validation against the authenticated session. In response, OpenClaw has updated its MCP loopback runtime to issue separate owner and non-owner bearer tokens. The “senderIsOwner” determination is now derived exclusively from the token that authenticated the request, and the spoofable sender-owner header is no longer emitted or trusted.
In line with responsible disclosure practices, all four identified vulnerabilities have been addressed in OpenClaw version 2026.4.22. Organizations utilizing OpenClaw are strongly advised to update their systems to this latest version to mitigate the risks associated with the Claw Chain and protect against potential incursions.
The implications of these vulnerabilities underscore the evolving threat landscape in AI security and the importance of continuous vigilance. As attackers become more sophisticated in weaponizing the inherent privileges of security tools themselves, the need for robust, adaptive security measures becomes paramount. The focus for organizations now shifts to ensuring timely patching and ongoing monitoring to confirm the integrity of their environments post-update.