Cybersecurity researchers have revealed a series of four security flaws in OpenClaw that can be chained together to achieve data theft, privilege escalation, and persistence.
The vulnerabilities, collectively referred to as “Claw Chain” by Cyera, could allow attackers to establish a foothold, expose sensitive data, and install backdoors. A brief description of the defect is as follows –
CVE-2026-44112 (CVSS score: 9.6/6.3) – A time-of-check/time-of-use (TOCTOU) race condition vulnerability in the OpenShell managed sandbox backend allows attackers to bypass sandbox restrictions and redirect writes outside of the intended mount root. CVE-2026-44113 (CVSS score: 7.7/6.3) – TOCTOU race condition vulnerability in OpenShell allows attackers to bypass sandbox restrictions and read files outside of the intended mount root. CVE-2026-44115 (CVSS score: 8.8) – An incomplete list of disallowed input vulnerabilities allows attackers to bypass allow list validation and execute unauthorized commands at runtime by embedding shell extension tokens in the heredoc body. CVE-2026-44118 (CVSS Score: 7.8) – Improper access control vulnerability could allow a non-owner loopback client to impersonate the owner and escalate privileges to control gateway configuration, cron scheduling, and execution environment management.
Cyera said that successful exploitation of CVE-2026-44112 could allow an attacker to modify configurations, plant backdoors, and establish permanent control over a compromised host, while CVE-2026-44113 could be weaponized to read system files, credentials, and internal artifacts.
The chain of exploitation unfolds in four steps.
A malicious plugin, prompt injection, or compromised external input can cause code to execute within the OpenShell sandbox. CVE-2026-44113 and CVE-2026-44115 are exploited to expose credentials, sensitive files, and sensitive files. CVE-2026-44118 can be exploited to gain owner-level control of the agent runtime. Use CVE-2026-44112 to install a backdoor or change the configuration to set persistence.
According to the cybersecurity firm, the root cause of CVE-2026-44118 stems from the fact that OpenClaw relies on a client-controlled ownership flag called senderIsOwner. This flag signals whether the caller is allowed to use the owner-only tool without validating it against the authenticated session.
“The MCP loopback runtime now issues owner and non-owner bearer tokens separately and derives senderIsOwner exclusively from the token that authenticated the request,” OpenClaw details the fix in its advisory for this flaw. “Spoofable sender-owner headers are no longer emitted and trusted.”
After responsible disclosure, all four vulnerabilities were addressed in OpenClaw version 2026.4.22. Security researcher Vladimir Tokarev is credited with discovering and reporting the issue. We recommend users update to the latest version to stay protected from potential threats.
“By weaponizing the agent’s own privileges, attackers can gain data access, privilege escalation, persistence, and use the agent as hands in the environment,” Cyera said. “Each step looks like normal agent behavior to traditional controls, increases the blast radius, and makes detection significantly more difficult.”
Source link
