TL;DR
A four-chain OpenClaw flaw called “Claw Chain” allows attackers to weaponize an agent’s own sandbox. Patches are live.
Cybersecurity researchers at Cyera They disclosed four vulnerabilities in OpenClaw that, when chained together, could allow an attacker to steal sensitive data, elevate privileges, and establish persistent control over a compromised host. Defects, generally “Claw Chain,” affects OpenClaw’s OpenShell-managed sandbox backend and its MCP fallback runtime.All four were patched in OpenClaw version 2026.4.22.
The attack chain works in four stages. First, a malicious plugin, operative injection, or compromised external access obtains code execution within the OpenShell sandbox. Second, two vulnerabilities, CVE-2026-44113 and CVE-2026-44115, are used to expose credentials, secrets, and sensitive files. Third, CVE-2026-44118 is used to gain owner-level control of the agent’s runtime by using an improperly asserted ownership flag. The fourth, CVE-2026-44112, the most serious of the four with a CVSS score of 9.6, is used to deploy backdoors, modify configuration, and create persistence outside of the sandbox.
The most interesting architectural flaw is CVE-2026-44118, which stems from OpenClaw’s reliance on a client-controlled flag called senderIsOwner without validating against an authenticated session. Any non-owner loopback client can impersonate the owner and gain control over gateway configuration, cron scheduling, and execution environment management. As advised by OpenClaw, the fix involves issuing separate owner and non-owner bearer tokens, senderIsOwner is now derived only from the authentication token and not from the spoofable header.
Two TOCTOU (time-of-check/time-of-use) race conditions, CVE-2026-44112 and CVE-2026-44113, allow attackers to bypass sandbox restrictions and redirect file writes or reads outside the intended installation root. CVE-2026-44115 exploits an incomplete permission list by placing shell extension tokens inside the heredoc body, causing the execution of commands that would otherwise be blocked at runtime.
💜 of EU technology
The latest rumblings from the EU tech scene, a story from our wise founder Boris and some questionable AI art. Free in your inbox every week. Register now!
What makes Claw Chain particularly troubling is that each step looks like normal agent behavior to traditional security controls. “By weaponizing the agent’s privileges, adversary information acquisition, privilege escalation, and persistence, the agent moves around the environment using the agent as its hands,” said Cyera. The attack expands the blast radius while making detection much more difficult because the malicious actions are indistinguishable from the legitimate operations the agent is designed to perform.
This is not the first time that OpenClaw has been compromised. In January, a critical remote code execution vulnerability (CVE-2026-25253) allowed any website a user visited to silently connect to an agent’s local server via an unauthenticated WebSocket, chaining cross-site hijacking to full code execution. An audit of Koi Security on ClawHub, OpenClaw’s skills marketplace, found 341 malicious entries out of 2,857 skills available, with attacks designed to steal credentials, launch counterattacks, and steal agents for cryptocurrency mining.
Nvidia addressed some of these structural security issues in March With NemoClaw, an enterprise layer that adds sandbox orchestration, privacy guards and security hardening on top of OpenClaw. The product was developed in cooperation with Cisco, CrowdStrike, Google and Microsoft Security. But NemoClaw works at the infrastructure level, not the software level, and the Claw Chain vulnerabilities sit inside OpenClaw’s own sandbox implementation, meaning even deployments hardened with NemoClaw were affected before the patch.
The scale of exposure is important. OpenClaw has over 3.2 million usersIntegrated with ChatGPT subscriptions via OpenAI and adopted as an enterprise platform by Nvidia (NemoClaw). Tencent (ClawPro). A significant portion of the installed base runs on older, unpatched versions, and attackers have been targeting known vulnerabilities in versions prior to at least February 2026.1.30.
Security researcher Vladimir Tokarev is credited with discovering and reporting issues. Users are advised to update to version 2026.4.22 immediately. The broader lesson is one that the AI agent industry is slowly learning: when an autonomous agent has access to files, credentials, APIs, and network resources, compromising the agent is functionally equivalent to compromising the user. Traditional perimeter security is not designed for a world where the most privileged entity within the environment is software that executes instructions from external sources.
Claw Chain is hardly the last disclosure of such vulnerability. However, it may be what forces the industry to treat AI agent security with the same seriousness it applies to operating systems and cloud infrastructure, not as an afterthought attached to a product that was never meant to be that important.
