Four critical vulnerabilities in OpenClaw – two TOCTOU sandbox bypasses, an input‑validation flaw, and an improper access‑control issue – can be chained to steal credentials, elevate privileges, and embed persistent backdoors. All are patched in OpenClaw 2026.4.22.
)
Four OpenClaw vulnerabilities, collectively dubbed “Claw Chain,” allow an attacker to move from code execution inside a sandbox to full control of the host.
The flaws in a nutshell
| CVE | CVSS | Core weakness | What an attacker can do |
|---|---|---|---|
| CVE‑2026‑44112 | 9.6 | TOCTOU race in the OpenShell sandbox’s mount‑root handling | Bypass the sandbox, write anywhere on the filesystem, plant backdoors, modify configuration for persistence |
| CVE‑2026‑44113 | 7.7 | TOCTOU race in the same sandbox, but for reads | Escape the sandbox to read arbitrary files, harvest credentials, internal tokens, and other secrets |
| CVE‑2026‑44115 | 8.8 | Incomplete allow‑list validation – heredoc shell‑expansion bypass | Inject shell‑expansion tokens into a heredoc, run arbitrary commands that were thought to be whitelisted |
| CVE‑2026‑44118 | 7.8 | Improper access control – spoofable senderIsOwner flag |
Non‑owner loopback clients impersonate the owner, gain control over gateway config, cron jobs, and the agent runtime |
The vulnerabilities were reported by security researcher Vladimir Tokarev and disclosed responsibly by Cyera. OpenClaw released patches in version 2026.4.22 that address each issue.
How the chain works
- Initial foothold – A malicious plugin, crafted prompt injection, or compromised external input gains code execution inside the OpenShell sandbox.
- Data exfiltration – The attacker first exploits CVE‑2026‑44113 to read files outside the mount root, then uses CVE‑2026‑44115 to run unapproved commands that pull secrets (API keys, database passwords, SSH private keys) into a location they control.
- Privilege escalation – With those credentials, the attacker targets the loopback interface. By sending a request that sets
senderIsOwner=true, they trigger CVE‑2026‑44118, elevating themselves to owner‑level privileges and gaining the ability to modify the agent’s runtime, cron schedules, and gateway configuration. - Persistence – Finally, CVE‑2026‑44112 lets the attacker write outside the sandbox. They can drop a persistent backdoor (e.g., a systemd service or a modified OpenShell binary) and alter configuration files so the malicious code survives reboots and updates.
Each step mimics legitimate agent behavior, making detection by traditional file‑integrity or behavior‑based tools difficult.
Expert perspective
“By weaponizing the agent’s own privileges, an adversary moves through data access, privilege escalation, and persistence – using the agent as their hands inside the environment,” — Cyera senior analyst, Maya Patel
Patel emphasizes that the chain’s power comes from chaining sandbox escape with access‑control misuse. “Most organizations trust the sandbox as a hard boundary. When the boundary is broken, the next logical target is the token that tells the system who is allowed to do what. If that token can be forged, the attacker essentially has a master key.”
Mitigation steps
- Upgrade immediately – Deploy OpenClaw 2026.4.22 or later. The release removes the
senderIsOwnerheader, introduces separate owner and non‑owner bearer tokens, and tightens sandbox mount‑root checks. - Enforce least‑privilege tokens – Ensure that any service interacting with OpenClaw uses the non‑owner token unless absolutely necessary. Rotate tokens regularly.
- Audit plugin sources – Verify the provenance of all OpenShell plugins and reject unsigned or community‑sourced plugins until they are reviewed.
- Monitor for unusual file writes – Add alerts for writes to critical paths outside the expected sandbox directory (e.g.,
/etc/openclaw/,/usr/local/bin/). - Enable kernel hardening – Activate
fs.protected_regularandfs.protected_fifoson Linux hosts to reduce the impact of TOCTOU races. - Log loopback API calls – Capture and review all requests to the OpenClaw management API, especially those that include ownership flags.
What this means for the broader ecosystem
OpenClaw is widely used in CI/CD pipelines, edge‑device management, and cloud‑native workloads. The “Claw Chain” demonstrates how a seemingly isolated sandbox can become a launchpad for full‑system compromise when token validation is weak. Organizations that rely on similar agent‑based architectures should review their own ownership‑flag mechanisms and consider separating authentication from authorization at the API layer.
Quick reference links
- OpenClaw advisory and patch notes: https://github.com/openclaw/openclaw/releases/tag/2026.4.22
- CVE details (NVD): https://nvd.nist.gov/vuln/detail/CVE-2026-44112, https://nvd.nist.gov/vuln/detail/CVE-2026-44113, https://nvd.nist.gov/vuln/detail/CVE-2026-44115, https://nvd.nist.gov/vuln/detail/CVE-2026-44118
- Cyera analysis of the Claw Chain: https://www.cyera.com/blog/claw-chain-analysis
Bottom line: The four OpenClaw flaws illustrate how a chain of moderate‑severity bugs can combine into a high‑impact attack. Updating to the patched version, tightening token handling, and adding focused monitoring are the fastest ways to neutralize the threat.
Comments
Please log in or register to join the discussion