TL;DR
Four chainable OpenClaw flaws called “Claw Chain” allow attackers to weaponize the agent’s own sandbox. The patches are active.
Cybersecurity researchers at Cyera have revealed four vulnerabilities in OpenClaw that, when chained together, allow an attacker to steal sensitive data, escalate privileges, and establish persistent control over a compromised host. The defects, collectively called “claw chain,“It affects OpenClaw’s OpenShell managed sandbox backend and its MCP loopback runtime. All four have been patched in OpenClaw version 2026.4.22.
The attack chain works in four stages. First, a malicious plugin, fast injection, or compromised external input obtains code execution within the OpenShell sandbox. Second, two of the vulnerabilities, CVE-2026-44113 and CVE-2026-44115, are exploited to expose credentials, secrets, and sensitive files. Third, CVE-2026-44118 is used to gain owner-level control of the agent runtime by exploiting an improperly validated ownership flag. Fourth, CVE-2026-44112, the most severe of the four with a CVSS score of 9.6, is used to install backdoors, modify configuration, and establish persistence outside of the sandbox.
The most architecturally interesting flaw is CVE-2026-44118, which is caused by OpenClaw relying on a client-controlled flag called senderIsOwner without validating it against the authenticated session. Any non-owner loopback client could impersonate an owner and gain control over gateway configuration, cron scheduling, and runtime management. The fix, according to OpenClaw’s notice, involves issuing separate owner and non-owner bearer tokens, and senderIsOwner now derives exclusively from the authentication token instead of a forged header.
Two TOCTOU (time-of-check/time-of-use) race conditions, CVE-2026-44112 and CVE-2026-44113, allow attackers to bypass sandbox restrictions and redirect file writes or reads away from the intended mount root. CVE-2026-44115 exploits an incomplete allowlist by embedding shell expansion tokens within a heredoc body, allowing the execution of commands that would otherwise be blocked at runtime.
The 💜 of EU technology
The latest rumors from the EU tech scene, a story from our wise founder Boris and some questionable AI art. It’s free, every week, in your inbox. Register now!
What makes Claw Chain particularly concerning is that each step looks like normal agent behavior at traditional security checkpoints. “By weaponizing the agent’s own privileges, an adversary advances through data access, privilege escalation, and persistence, using the agent as its hands within the environment.Cyera said. The attack widens the blast radius and makes detection significantly more difficult, because malicious actions are indistinguishable from the legitimate operations for which the agent is designed.
This is not the first time OpenClaw’s security has come under scrutiny. In January, a critical remote code execution vulnerability (CVE-2026-25253) allowed any website a user visited to silently connect to the agent’s local server via an unvalidated WebSocket, chaining a cross-site hijack into the entire code execution. A Koi Security audit of ClawHub, OpenClaw’s skills marketplace, found 341 malicious entries out of 2,857 available skills, with attacks designed to steal credentials, open reverse shells, and hijack agents for cryptocurrency mining.
Nvidia addressed some of these structural security concerns in March with NemoClaw, an enterprise layer that adds sandbox orchestration, privacy barriers, and security hardening on top of OpenClaw. The product was created in partnership with Cisco, CrowdStrike, Google and Microsoft Security. But NemoClaw operates at the infrastructure level, not the application level, and the Claw Chain vulnerabilities lie within OpenClaw’s own sandbox implementation, meaning that even implementations hardened with NemoClaw would have been affected before the patch.
The scale of the exhibition is significant. OpenClaw has more than 3.2 million usersis integrated with ChatGPT subscriptions through OpenAI and has been adopted as an enterprise platform by Nvidia (NemoClaw) and Tencent (ClawPro). A significant portion of the installed base runs older, unpatched versions, and attackers have been targeting known vulnerabilities in versions prior to 2026.1.30 since at least February.
Security researcher Vladimir Tokarev is credited with discovering and reporting the issues. Users are recommended to update to version 2026.4.22 immediately. The broader lesson is one that the AI agent industry has been slow to internalize: When an autonomous agent has access to files, credentials, APIs, and network resources, compromising the agent is functionally equivalent to compromising the user. Traditional perimeter security was not designed for a world where the most privileged entity within the environment is the software that executes instructions from external sources.
Claw Chain is unlikely to be the last such vulnerability disclosure. However, it may be the one that forces the industry to treat the security of AI agents with the same rigor it applies to operating systems and cloud infrastructure, rather than as an afterthought built into a product that was never designed to be so important.
