Cybersecurity researchers at Cyera have uncovered a dangerous set of four security vulnerabilities in OpenClaw that can be chained together to achieve data theft, privilege escalation, and persistent system compromise. Dubbed “Claw Chain,” this exploit chain allows a threat actor to move through an environment using the AI agent’s own privileges \u2014 making malicious activity nearly indistinguishable from normal operations.<\/p>\n
The Claw Chain attack leverages four distinct CVEs, each playing a specific role in the overall compromise:<\/p>\n
**CVE-2026-44112** (CVSS 9.6\/6.3) \u2014 A time-of-check\/time-of-use (TOCTOU) race condition in OpenClaw’s OpenShell managed sandbox backend. Exploitation allows attackers to bypass sandbox restrictions and redirect file writes outside the intended mount root. This is the most critical flaw, enabling backdoor planting and persistent configuration changes.<\/p>\n
**CVE-2026-44113** (CVSS 7.7\/6.3) \u2014 Another TOCTOU race condition in OpenShell, this time enabling unauthorized read access to files outside the sandbox boundary. Attackers can leverage this to extract system files, credentials, and internal application artifacts.<\/p>\n
**CVE-2026-44115** (CVSS 8.8) \u2014 An incomplete input validation flaw that allows attackers to bypass allowlist enforcement by embedding shell expansion tokens inside heredoc bodies. This enables execution of unapproved commands at runtime, effectively breaking the command execution controls.<\/p>\n
**CVE-2026-44118** (CVSS 7.8) \u2014 An improper access control vulnerability in the MCP loopback runtime. Non-owner clients can spoof the `senderIsOwner` flag \u2014 a client-controlled ownership header \u2014 to impersonate owner-level sessions without proper authentication validation, granting control over gateway configuration, cron scheduling, and execution environment management.<\/p>\n
The Claw Chain attack unfolds in four calculated stages. First, an attacker gains initial code execution inside the OpenShell sandbox \u2014 this can be triggered via a malicious plugin, prompt injection, or any compromised external input. From there, CVE-2026-44113 and CVE-2026-44115 are chained to expose credentials, secrets, and sensitive files stored on the system.<\/p>\n
With credentials in hand, CVE-2026-44118 is exploited to elevate privileges to owner-level control over the agent runtime. Finally, CVE-2026-44112 is used to plant backdoors, alter configurations, and establish persistence \u2014 ensuring the attacker maintains long-term access even after initial discovery attempts.<\/p>\n
Cyera noted that each step in this chain mimics legitimate agent behavior, making detection by traditional security controls significantly harder and broadening the attacker’s blast radius within compromised environments.<\/p>\n
The core issue behind CVE-2026-44118 is OpenClaw’s unconditional trust of the client-controlled `senderIsOwner` header, which was never validated against the authenticated session context. This design flaw effectively allowed any loopback client to self-declare owner-level privileges.<\/p>\n
Following responsible disclosure by security researcher Vladimir Tokarev, all four vulnerabilities have been patched in **OpenClaw version 2026.4.22**. The fix introduces separate owner and non-owner bearer tokens for the MCP loopback runtime, with `senderIsOwner` now derived exclusively from which token authenticated the request. The spoofable sender-owner header has been fully deprecated.<\/p>\n
If your environment runs any version of OpenClaw prior to 2026.4.22, updating immediately is critical. Given the CVSS scores involved \u2014 particularly the near-perfect 9.6 for CVE-2026-44112 \u2014 and the ease with which these flaws can be chained, this is not a vulnerability set to defer. Organizations leveraging AI agent frameworks should also audit all plugin inputs and external data sources for potential prompt injection vectors as an additional defensive layer.<\/p>\n","protected":false},"excerpt":{"rendered":"
Researchers have disclosed four chained vulnerabilities in OpenClaw, collectively dubbed Claw Chain, enabling attackers to steal data, escalate privileges, and establish persistence through the AI agent’s own runtime. All flaws have been patched in OpenClaw version 2026.4.22 and users are urged to update immediately.<\/p>\n","protected":false},"author":2,"featured_media":129,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[14],"tags":[],"class_list":["post-130","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-vulnerability"],"yoast_head":"\n