"Claw Chain" Vulnerabilities in OpenClaw Enable Full System Compromise
A set of four vulnerabilities in the OpenClaw platform, dubbed "Claw Chain," allows attackers to bypass sandbox protections, escalate privileges, and establish persistent access to compromised systems.

Security researchers at Cyera have disclosed a collection of four vulnerabilities in the OpenClaw platform, collectively referred to as "Claw Chain," which allow attackers to perform data theft, escalate privileges, and establish persistent backdoors The Hacker News. By chaining these flaws, an adversary can compromise the OpenShell managed sandbox, effectively turning the agent into a tool for unauthorized system access.
The vulnerabilities primarily target the OpenShell sandbox backend and the agent's runtime environment. Two of the flaws, CVE-2026-44112 (CVSS 9.6) and CVE-2026-44113 (CVSS 7.7), are time-of-check/time-of-use (TOCTOU) race conditions that permit attackers to bypass sandbox restrictions, allowing them to read or write files outside of the intended mount root The Hacker News. Additionally, CVE-2026-44115 (CVSS 8.8) involves an incomplete allowlist validation, enabling attackers to execute unapproved commands by embedding shell expansion tokens within a heredoc body The Hacker News.
The final vulnerability, CVE-2026-44118 (CVSS 7.8), stems from improper access control where the system incorrectly trusted a client-controlled senderIsOwner flag The Hacker News. This allowed non-owner loopback clients to impersonate owners, granting them control over gateway configurations, cron scheduling, and the execution environment The Hacker News.
The exploitation process typically begins with code execution inside the OpenShell sandbox via a malicious plugin or prompt injection The Hacker News. From there, an attacker uses the TOCTOU and input validation flaws to exfiltrate secrets and credentials, then leverages the access control vulnerability to gain owner-level privileges The Hacker News. Finally, the attacker uses the sandbox escape flaw to plant backdoors and ensure persistence The Hacker News.
OpenClaw has addressed these issues in version 2026.4.22 The Hacker News. To mitigate the access control flaw, the company updated the MCP loopback runtime to issue separate bearer tokens for owners and non-owners, ensuring the senderIsOwner flag is no longer trusted The Hacker News. Users are strongly encouraged to update to the latest version immediately to prevent exploitation The Hacker News.
This discovery highlights the growing risk of "agent-based" attacks, where adversaries weaponize an agent's own legitimate privileges to move laterally within an environment The Hacker News. Because these actions often mimic normal agent behavior, they can be difficult for traditional security controls to detect, significantly increasing the potential blast radius of a compromise The Hacker News.
Cyera, the firm that discovered the flaws, disclosed that the chain includes a race condition (CVE-2026-44113) for reading files outside the mount root, an exec allowlist bypass (CVE-2026-44115), an MCP loopback privilege escalation (CVE-2026-44118), and a critical sandbox race condition (CVE-2026-44112, CVSS 9.6) for writing data outside the sandbox. The researchers warned that over 60,000 publicly accessible OpenClaw instances exist, and that the attack chain can leak credentials, API keys, tokens, credentials, and internal configurations while appearing as normal agent behavior. OpenClaw maintainers patched all four vulnerabilities within a day of the April 22 disclosure.
Dark Reading's coverage adds new details on the attack chain, noting that each step exploits the agent's own legitimate capabilities, making malicious activity appear as normal behavior to conventional security monitoring tools. The article also includes commentary from Darktrace's Justin Fier, who warns that OpenClaw's intrusive access requirements—including file system, mouse, and keyboard access—compound the risk when stacked with exploit chains. Additionally, the report highlights that OpenClaw has been a frequent target of security research, with prior vulnerabilities enabling token theft and command injection.
The GovInfoSecurity report adds that Cyera researchers dubbed the four chainable vulnerabilities collectively as 'Claw Chain,' and that the most severe flaw, CVE-2026-44112, carries a CVSS score of 9.6. It also provides new context on the scale of exposure: Shodan and ZoomEye scans identified approximately 65,000 to 180,000 publicly reachable OpenClaw instances, totaling roughly 245,000 servers, many lacking authentication controls. The article further notes that OpenClaw became GitHub's most-starred project within three months of launch, and that researchers have tracked over 500 GitHub Security Advisories against the platform.