Overview
Cybersecurity researchers at Cyera have uncovered a dangerous set of four security vulnerabilities in OpenClaw that can be chained together to achieve data theft, privilege escalation, and persistent system compromise. Dubbed “Claw Chain,” this exploit chain allows a threat actor to move through an environment using the AI agent’s own privileges — making malicious activity nearly indistinguishable from normal operations.
The Four Vulnerabilities
The Claw Chain attack leverages four distinct CVEs, each playing a specific role in the overall compromise:
**CVE-2026-44112** (CVSS 9.6/6.3) — A time-of-check/time-of-use (TOCTOU) race condition in OpenClaw’s OpenShell managed sandbox backend. Exploitation allows attackers to bypass sandbox restrictions and redirect file writes outside the intended mount root. This is the most critical flaw, enabling backdoor planting and persistent configuration changes.
**CVE-2026-44113** (CVSS 7.7/6.3) — Another TOCTOU race condition in OpenShell, this time enabling unauthorized read access to files outside the sandbox boundary. Attackers can leverage this to extract system files, credentials, and internal application artifacts.
**CVE-2026-44115** (CVSS 8.8) — An incomplete input validation flaw that allows attackers to bypass allowlist enforcement by embedding shell expansion tokens inside heredoc bodies. This enables execution of unapproved commands at runtime, effectively breaking the command execution controls.
**CVE-2026-44118** (CVSS 7.8) — An improper access control vulnerability in the MCP loopback runtime. Non-owner clients can spoof the `senderIsOwner` flag — a client-controlled ownership header — to impersonate owner-level sessions without proper authentication validation, granting control over gateway configuration, cron scheduling, and execution environment management.
The Attack Chain Explained
The Claw Chain attack unfolds in four calculated stages. First, an attacker gains initial code execution inside the OpenShell sandbox — this can be triggered via a malicious plugin, prompt injection, or any compromised external input. From there, CVE-2026-44113 and CVE-2026-44115 are chained to expose credentials, secrets, and sensitive files stored on the system.
With credentials in hand, CVE-2026-44118 is exploited to elevate privileges to owner-level control over the agent runtime. Finally, CVE-2026-44112 is used to plant backdoors, alter configurations, and establish persistence — ensuring the attacker maintains long-term access even after initial discovery attempts.
Cyera noted that each step in this chain mimics legitimate agent behavior, making detection by traditional security controls significantly harder and broadening the attacker’s blast radius within compromised environments.
Root Cause and the Fix
The core issue behind CVE-2026-44118 is OpenClaw’s unconditional trust of the client-controlled `senderIsOwner` header, which was never validated against the authenticated session context. This design flaw effectively allowed any loopback client to self-declare owner-level privileges.
Following responsible disclosure by security researcher Vladimir Tokarev, all four vulnerabilities have been patched in **OpenClaw version 2026.4.22**. The fix introduces separate owner and non-owner bearer tokens for the MCP loopback runtime, with `senderIsOwner` now derived exclusively from which token authenticated the request. The spoofable sender-owner header has been fully deprecated.
CyDhaal Recommendation
If your environment runs any version of OpenClaw prior to 2026.4.22, updating immediately is critical. Given the CVSS scores involved — particularly the near-perfect 9.6 for CVE-2026-44112 — and the ease with which these flaws can be chained, this is not a vulnerability set to defer. Organizations leveraging AI agent frameworks should also audit all plugin inputs and external data sources for potential prompt injection vectors as an additional defensive layer.
About the Author
