Cybersecurity researchers have disclosed four security flaws affecting OpenClaw that, when chained together, could enable attackers to carry out data theft, privilege escalation, and persistence inside compromised systems. The vulnerabilities, collectively referred to as “Claw Chain” by cybersecurity company Cyera, affect OpenClaw’s OpenShell sandbox environment and related runtime mechanisms, potentially allowing malicious actors to gain unauthorized access, expose sensitive information, and maintain long term control over affected environments. The issues were publicly disclosed on May 15, 2026, with users advised to update their systems after fixes were released in OpenClaw version 2026.4.22.
According to Cyera, the vulnerability chain consists of four separate weaknesses that can be combined to increase the severity of an attack. The first issue, tracked as CVE 2026 44112 and carrying a CVSS score of 9.6 and 6.3 depending on evaluation metrics, is a time of check and time of use race condition vulnerability affecting the OpenShell managed sandbox backend. Researchers said the flaw may allow attackers to bypass sandbox restrictions and redirect file writes beyond the intended mount root, creating opportunities to tamper with configurations, establish persistence, or plant backdoors on compromised systems. A related flaw, CVE 2026 44113 with a CVSS score of 7.7 and 6.3, involves another time of check and time of use vulnerability that may enable attackers to bypass restrictions and read files outside designated boundaries, potentially exposing credentials, system files, and internal artifacts. A third issue, identified as CVE 2026 44115 with a CVSS score of 8.8, stems from an incomplete list of disallowed inputs. This vulnerability allows attackers to bypass validation mechanisms by embedding shell expansion tokens within heredoc content, enabling the execution of unauthorized commands during runtime.
Researchers also identified CVE 2026 44118, an improper access control vulnerability with a CVSS score of 7.8, which may allow non owner loopback clients to impersonate legitimate owners and gain elevated privileges. According to Cyera, successful exploitation could provide attackers with access to gateway configuration, cron scheduling, and execution environment management capabilities. The cybersecurity company stated that exploitation would typically begin with a malicious plugin, prompt injection, or compromised external input gaining code execution within the OpenShell sandbox. From there, attackers could combine CVE 2026 44113 and CVE 2026 44115 to expose sensitive credentials and internal files, before leveraging CVE 2026 44118 to gain owner level privileges over the runtime environment.
Cyera further explained that attackers could then use CVE 2026 44112 to modify configurations, deploy backdoors, and maintain persistent access to affected hosts. The root cause behind CVE 2026 44118 was linked to OpenClaw trusting a client controlled ownership flag known as “senderIsOwner,” which determined access to owner only tools without proper session validation. In response, OpenClaw implemented changes ensuring separate owner and non owner bearer tokens are issued and ownership status is now derived only from authenticated requests, removing reliance on spoofable ownership headers. Security researcher Vladimir Tokarev has been credited with discovering and reporting the vulnerabilities, while OpenClaw confirmed that all four issues have been addressed in version 2026.4.22. Security experts are advising organizations and users running affected deployments to update immediately to reduce exposure to potential attacks.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
