Security researchers have uncovered a set of four critical vulnerabilities in OpenClaw that can be chained together to enable data theft, privilege escalation, and long-term system persistence in affected environments.
The flaws, collectively referred to as the “Claw Chain” by cybersecurity firm Cyera, impact the OpenClaw platform and its OpenShell sandboxing components. The issues have since been patched in version 2026.4.22 following responsible disclosure.
Chained Exploits Target Sandbox and Access Controls
The vulnerabilities allow attackers to move from initial code execution to full system compromise by abusing weaknesses in sandbox isolation, input validation, and authorization handling.
According to researchers, successful exploitation can lead to unauthorized access to sensitive files, credential exposure, configuration manipulation, and persistent backdoor installation.
The Four Security Flaws Identified
The security issues include multiple high-severity vulnerabilities:
- CVE-2026-44112 (CVSS 9.6/6.3): A time-of-check to time-of-use (TOCTOU) race condition in the OpenShell sandbox backend that enables attackers to bypass restrictions and write outside the intended directory.
- CVE-2026-44113 (CVSS 7.7/6.3): Another TOCTOU flaw allowing attackers to read files beyond the sandbox’s restricted environment.
- CVE-2026-44115 (CVSS 8.8): An input validation bypass that allows shell expansion tokens inside heredoc content to execute unauthorized commands.
- CVE-2026-44118 (CVSS 7.8): An access control flaw that enables non-owner loopback clients to impersonate privileged users and gain elevated control over system functions.
How Attackers Can Chain the Vulnerabilities
Security analysts describe a multi-stage exploitation chain that could be used in real-world attacks:
- Initial code execution through a malicious plugin, prompt injection, or compromised input.
- Exploitation of file access and input validation flaws to extract credentials and sensitive data.
- Abuse of privilege escalation vulnerability to gain owner-level control over the system.
- Use of sandbox bypass techniques to deploy persistent backdoors and modify configurations.
This sequence effectively turns a restricted execution environment into a fully compromised system.
Root Cause: Flawed Trust in Ownership Signals
Researchers noted that CVE-2026-44118 stems from a design issue where OpenClaw trusts a client-controlled flag, senderIsOwner, to determine user privileges without properly validating it against authenticated session data.
Attackers can exploit this weakness to impersonate legitimate owners and gain unauthorized administrative access.
Security Fixes and Mitigation
The vulnerabilities have been addressed in OpenClaw version 2026.4.22. The update introduces stricter authentication controls and removes reliance on spoofable ownership headers.
Developers also redesigned the runtime authentication model by separating owner and non-owner tokens and ensuring privilege decisions are based on verified credentials.
Security researcher Vladimir Tokarev has been credited for discovering and reporting the flaws.
Security Implications for AI and Sandbox Systems
Experts warn that the “Claw Chain” highlights a broader risk in modern sandboxed and agent-based systems: attackers can exploit internal privilege assumptions to escalate from limited execution to full system control.
According to Cyera, such attacks may appear as normal system behavior, making detection more difficult for traditional security tools while significantly expanding the potential impact of a breach.
Conclusion
The OpenClaw vulnerabilities demonstrate how multiple moderate-to-high severity flaws can be chained into a full compromise when combined with weak authorization design and unsafe sandbox assumptions. Organizations using affected versions are strongly advised to update immediately to mitigate risk.
