Four vulnerabilities in OpenClaw enable attackers to exfiltrate data, elevate privileges, and insert backdoors via the agent's own sandbox.

      **Summary**

      A series of four exploitable vulnerabilities in OpenClaw, referred to as “Claw Chain,” enable attackers to manipulate the agent’s own sandbox to steal sensitive data, escalate privileges, and maintain control over a compromised system. Cybersecurity firm Cyera has identified these vulnerabilities, which impact OpenClaw’s OpenShell managed sandbox and its MCP loopback runtime. All four vulnerabilities have been addressed in OpenClaw version 2026.4.22.

      The attack sequence unfolds in four steps: First, a malicious plugin or compromised external input executes code within the OpenShell sandbox. Next, two vulnerabilities, CVE-2026-44113 and CVE-2026-44115, are exploited, leading to the exposure of credentials and sensitive information. The third step involves utilizing CVE-2026-44118 to gain owner-level access to the agent runtime by taking advantage of a poorly validated ownership flag. Finally, the most critical vulnerability, CVE-2026-44112, allows for the installation of backdoors and configuration alterations, ensuring persistence outside the sandbox.

      Notably, CVE-2026-44118 is a significant architectural flaw as it pertains to OpenClaw's trust in a client-controlled flag called senderIsOwner, without proper validation against the authenticated session. This flaw permits any non-owner loopback client to impersonate an owner, thus obtaining control over critical configurations. OpenClaw's advisory suggests that separating owner and non-owner bearer tokens and deriving senderIsOwner solely from the authenticating token would rectify the issue.

      The TOCTOU race conditions present in CVE-2026-44112 and CVE-2026-44113 enable attackers to circumvent sandbox limitations by redirecting file operations outside designated areas. CVE-2026-44115 takes advantage of an incomplete allowlist by inserting shell expansion tokens in a heredoc, facilitating the execution of ordinarily blocked commands.

      Claw Chain poses a serious threat, as each vulnerability stage appears as regular agent behavior to conventional security systems. Cyera highlighted that exploiting the agent's own privileges allows adversaries to advance through various stages of data access and privilege escalation, thereby complicating detection efforts and expanding the potential impact.

      OpenClaw's security has previously been criticized, including a severe remote code execution vulnerability (CVE-2026-25253) found in January, which enabled users' visits to websites to connect silently to the agent's local server. A Koi Security audit revealed numerous malicious entries within ClawHub, OpenClaw's skill marketplace, indicating risks of credential theft and unauthorized agent control.

      In response to these concerns, Nvidia launched NemoClaw in March, an enterprise layer providing enhanced security, but this operates at the infrastructure level and does not address vulnerabilities within OpenClaw's own sandbox.

      With over 3.2 million users and integrations with major platforms like ChatGPT, the potential impact of these vulnerabilities is substantial, particularly given that many users are still running outdated versions. Security researcher Vladimir Tokarev is credited with identifying these issues, and users are urged to update to version 2026.4.22 promptly.

      This situation underscores a critical lesson for the AI agent sector: having autonomous agents that access sensitive information means that compromising such agents is akin to breaching user security. The industry needs to treat AI agent security with the same seriousness as that applied to operating systems and cloud infrastructures, rather than as an afterthought. Claw Chain is likely not the last vulnerability of this nature, but it might be the catalyst for necessary changes in industry practices.