Four Chained Vulnerabilities in OpenClaw Enable Data Theft, Privilege Escalation, and Persistence

TL;DR Cyera disclosed four vulnerabilities in OpenClaw that can be chained to compromise systems. The flaws span sandbox bypass, command execution, and privilege escalation, with CVSS scores ranging from 7.7 to 9.6. All four have been patched in OpenClaw version 2026.4.22, released following responsible disclosure.

What happened

Cyera disclosed four security flaws in OpenClaw, collectively branded "Claw Chain," that work in sequence to enable attackers to move from initial code execution through data exfiltration, privilege elevation, and persistence establishment.

Security researcher Vladimir Tokarev discovered and reported the issues. The vulnerabilities affect OpenShell (the managed sandbox backend) and the core OpenClaw runtime.

The attack chain unfolds across four stages:

A malicious plugin, prompt injection, or compromised external input executes code inside the OpenShell sandbox.
The attacker leverages CVE-2026-44113 and CVE-2026-44115 to extract credentials, secrets, and sensitive files from the sandbox environment.
Exploitation of CVE-2026-44118 grants the attacker owner-level control of the agent runtime.
CVE-2026-44112 is used to plant backdoors, modify configuration, and establish persistence on the host.

Each stage mimics legitimate agent behavior, making detection by traditional security controls more difficult.

Why it matters

For infrastructure teams running OpenClaw, this chain represents a critical path from sandbox escape to durable host compromise. The ability to chain these flaws means attackers do not need to exploit a single catastrophic vulnerability; instead, they can incrementally move through the system using lower-severity gaps that individually might appear containable.

The progression from data access to privilege escalation to persistence is particularly significant for SOC analysts. Because each step replicates normal agent operations, alerts may not cluster together, and the attack may not trigger threshold-based anomaly detection.

The timing of these disclosures and patches is important for teams planning patching cycles and vulnerability prioritization.

Affected systems and CVEs

OpenClaw – all versions prior to 2026.4.22
OpenShell (managed sandbox backend) – all versions prior to 2026.4.22

CVE Identifiers:

CVE-2026-44112 (CVSS 9.6/6.3) – TOCTOU race condition in OpenShell sandbox backend allowing write redirection outside mount root
CVE-2026-44113 (CVSS 7.7/6.3) – TOCTOU race condition in OpenShell allowing unauthorized file reads outside mount root
CVE-2026-44115 (CVSS 8.8) – Incomplete allowlist validation permitting shell expansion bypass via heredoc injection
CVE-2026-44118 (CVSS 7.8) – Improper access control allowing non-owner clients to impersonate owner and escalate privileges

What to do

Update OpenClaw to version 2026.4.22 or later without delay.
Implement separate bearer tokens for owner and non-owner authentication contexts; do not rely on a single token type or user-controlled flags.
Validate ownership and authorization status directly against the authenticated session rather than trusting client-supplied metadata (such as the senderIsOwner flag).
Remove any reliance on spoofable sender-owner headers in authentication or authorization logic.
Review audit logs for evidence of unusual sandbox access, file reads outside expected mount points, or unexpected privilege escalations prior to the patch date.

Open questions

No disclosure date is provided for when these vulnerabilities were originally discovered or reported to OpenClaw maintainers; the only confirmed date is the patch release (2026.4.22).
The advisory does not state whether these vulnerabilities have been exploited in production environments.
The scope of OpenClaw deployments in the MENA region and globally is not documented; the number of affected users is unknown.
No independent verification or analysis from other security researchers or vendors is referenced.