Four vulnerabilities in OpenClaw enable attackers to exfiltrate data, elevate privileges, and install backdoors via the agent's own sandbox.

      **TL;DR** Four exploitable vulnerabilities in OpenClaw, collectively referred to as “Claw Chain,” allow attackers to misuse the agent's own sandbox for malicious purposes. Patches have been implemented.

      Cybersecurity researchers at Cyera have revealed four vulnerabilities in OpenClaw that, when combined, enable an attacker to access sensitive information, escalate their privileges, and maintain ongoing control over an affected host. These vulnerabilities impact OpenClaw’s OpenShell managed sandbox backend and its MCP loopback runtime. All issues have been resolved in OpenClaw version 2026.4.22.

      The attack sequence unfolds in four phases. Initially, a harmful plugin, prompt injection, or compromised external input executes code within the OpenShell sandbox. Next, two of the vulnerabilities, CVE-2026-44113 and CVE-2026-44115, are exploited to reveal credentials, secrets, and sensitive files. In the third stage, CVE-2026-44118 is leveraged to gain owner-level control of the agent runtime by taking advantage of a poorly validated ownership flag. Finally, CVE-2026-44112, the most critical flaw with a CVSS score of 9.6, facilitates the installation of backdoors, configuration changes, and the establishment of persistence outside the sandbox.

      The most architecturally significant vulnerability is CVE-2026-44118, which arises from OpenClaw's reliance on a client-controlled flag named senderIsOwner without properly validating it against the authenticated session. Any non-owner loopback client could impersonate an owner, thus gaining control over gateway configurations, cron scheduling, and management of the execution environment. According to OpenClaw’s advisory, the solution involves assigning separate bearer tokens for owners and non-owners, with senderIsOwner now derived solely from the authenticating token instead of a spoofable header.

      The two TOCTOU (time-of-check/time-of-use) race conditions, CVE-2026-44112 and CVE-2026-44113, enable attackers to circumvent sandbox limitations and redirect file reading or writing operations beyond the intended mount root. CVE-2026-44115 takes advantage of an incomplete allowlist by embedding shell expansion tokens within a heredoc body, which allows execution of commands that would typically be blocked at runtime.

      What makes Claw Chain especially troubling is that each step mimics normal agent behavior, eluding conventional security measures. “By co-opting the agent’s privileges, an attacker navigates through data access, privilege elevation, and persistence by leveraging the agent as their means of operation within the environment,” Cyera stated. This tactic amplifies the attack's potential impact while making detection significantly more challenging because the malicious actions blend seamlessly with the legitimate functions the agent is designed to execute.

      OpenClaw's security has faced scrutiny before. In January, a serious remote code execution vulnerability (CVE-2026-25253) allowed any website visited by a user to silently connect to the agent’s local server via an unvalidated WebSocket, which enabled a cross-site hijack to escalate to full code execution. A Koi Security audit of ClawHub, OpenClaw’s skill marketplace, identified 341 malicious entries among 2,857 skills, with attacks aimed at stealing credentials, establishing reverse shells, and hijacking agents for cryptocurrency mining.

      Nvidia addressed some of these underlying security issues in March by introducing NemoClaw, an enterprise layer that integrates sandbox orchestration, privacy protections, and security enhancements on top of OpenClaw. This product was developed in collaboration with Cisco, CrowdStrike, Google, and Microsoft Security. However, NemoClaw functions at the infrastructure level, not the application level, meaning the Claw Chain vulnerabilities, embedded within OpenClaw’s sandbox, would have affected even NemoClaw-secured deployments prior to the patch.

      The extent of the exposure is considerable. OpenClaw boasts over 3.2 million users, is linked to ChatGPT subscriptions through OpenAI, and has been utilized as an enterprise platform by Nvidia (NemoClaw) and Tencent (ClawPro). A substantial number of installations are running outdated, unpatched versions, and attackers have been targeting known vulnerabilities in versions prior to 2026.1.30 since at least February.

      Security researcher Vladimir Tokarev has been acknowledged for discovering and reporting these vulnerabilities. Users are strongly urged to update to version 2026.4.22 without delay. The overarching lesson here is one that the AI agent sector has been slow to grasp: when an autonomous agent has access to files, credentials, APIs, and network resources, compromising the agent equates to compromising the user. Traditional perimeter security was not designed for an environment where software executing commands from external sources is the most privileged entity present.

      Claw Chain is unlikely to be the final vulnerability disclosure of this nature. However, it may prompt the industry to approach AI agent security with