Vulnerabilities & CVEs

OpenClaw Vulnerabilities: 4 Flaws Enable Data Theft, Escalat

Four critical vulnerabilities in OpenClaw, chained together as 'Claw Chain,' have been detailed by researchers, enabling a cascade of severe security compromises. Attackers can now potentially exfiltrate data, seize elevated permissions, and plant persistent backdoors.

Threat Digest 5 min read
Diagram illustrating the four chained vulnerabilities in OpenClaw leading to data theft and persistence.

Key Takeaways

  • Four chained vulnerabilities in OpenClaw (Claw Chain) allow data theft, privilege escalation, and persistence.
  • Exploitation involves gaining sandbox access, exfiltrating data, escalating privileges, and planting backdoors.
  • The flaws include TOCTOU race conditions and improper access control, undermining sandbox security.
  • OpenClaw version 2026.4.22 has been released to address these critical issues.

Four flaws in OpenClaw, unearthed by researchers at Cyera and collectively named Claw Chain, have opened a Pandora’s Box for defenders. This isn’t just about finding a single bug; it’s about understanding how a sequence of exploitable weaknesses can grant an adversary a deep, persistent foothold within an environment, allowing them to pilfer data, elevate their privileges, and essentially become a ghost in the machine.

At the heart of this cascading failure are four distinct Common Vulnerabilities and Exposures (CVEs), each carrying its own weight but amplified when strung together. We’re talking about a CVSS score of 9.6 for one of them—a near-perfect storm of risk. These aren’t theoretical concerns; they’re pathways to compromise that allow an attacker to establish a beachhead, expose sensitive information, and plant malware that’s exceptionally difficult to detect.

The Anatomy of the Claw Chain

Let’s break down these vulnerabilities, because understanding the ‘how’ is critical to appreciating the ‘why’ it matters so much. We have:

  • CVE-2026-44112 (CVSS 9.6): This is a time-of-check/time-of-use (TOCTOU) race condition in the OpenShell managed sandbox backend. Think of it like a security guard checking your ID at the door, but by the time they’ve finished checking, the rule has changed, and you can waltz past them. In this case, an attacker can exploit this to bypass sandbox restrictions and redirect system writes to locations outside the intended secure area.
  • CVE-2026-44113 (CVSS 7.7): Another TOCTOU race condition, also in OpenShell. This one, however, flips the script from writing to reading. It allows an attacker to read files that are strictly outside the sandbox’s designated mount root, potentially exposing system configuration, credentials, or other sensitive data.
  • CVE-2026-44115 (CVSS 8.8): This vulnerability stems from an ‘incomplete list of disallowed inputs.’ Security often relies on allowlists—defining what is permitted. If that list is incomplete, or if validation is flawed, attackers can find ways around it. Here, embedding shell expansion tokens within a ‘here document’ (heredoc) allows for the execution of unauthorized commands during runtime.
  • CVE-2026-44118 (CVSS 7.8): This is a classic case of improper access control. It allows clients who don’t own a particular resource—in this case, loopback clients—to impersonate an owner. This can lead to elevated privileges, giving attackers control over critical functions like gateway configuration, cron jobs (scheduled tasks), and the overall execution environment.

The Exploit Cascade: A Step-by-Step Nightmare

The real terror of Claw Chain lies in its sequential exploitation. Cyera outlines the chain as a four-step process, each building on the last:

  1. Initial Foothold: The attacker first gains code execution inside the OpenShell sandbox. This could happen via a malicious plugin, prompt injection in an AI-powered application, or any compromised external input that makes its way into the sandboxed environment.
  2. Data Exfiltration: With the sandbox breached, the attacker use CVE-2026-44113 and CVE-2026-44115. This allows them to read sensitive files, extract credentials, and uncover secrets hidden within the system, all while operating under the guise of legitimate sandbox operations.
  3. Privilege Escalation: Next, CVE-2026-44118 comes into play. The attacker uses this to achieve owner-level control over the agent’s runtime. This is a massive leap in capability, moving from observation to direct manipulation of system functions.
  4. Persistence and Control: Finally, CVE-2026-44112 is used. With elevated privileges and the ability to bypass write restrictions, the attacker can plant backdoors, alter configurations, and establish a persistent presence that survives reboots and basic system checks.

Cyera’s analysis highlights a disturbing architectural failing: OpenClaw trusts a client-controlled ownership flag called senderIsOwner without validating it against the authenticated session. This is akin to a doorman asking the guest if they’re a VIP instead of checking their VIP wristband against the guest list. The MCP loopback runtime, in its corrected state, now issues separate tokens and derives ownership status solely from which token authenticated the request, effectively ending the spoofable header.

Why This Matters for Defenders

The real genius of this attack chain, and what makes it so insidious, is that each step looks like normal agent behavior to traditional security controls. When an agent is supposed to be accessing data or managing configurations, your standard monitoring tools might not flag it as suspicious. This broadens the ‘blast radius’ considerably and makes detection a significantly harder task. The agent, intended to be a tool for management and security, becomes the adversary’s primary instrument.

“By weaponizing the agent’s own privileges, an adversary moves through data access, privilege escalation, and persistence – using the agent as their hands inside the environment. Each step looks like normal agent behavior to traditional controls, broadening blast radius and making detection significantly harder.”

This incident underscores a perennial challenge in securing complex systems: the dual-use nature of powerful tools. When an agent has broad access for legitimate administrative purposes, the same access can be weaponized by an attacker. The focus on chained vulnerabilities and their ability to mimic legitimate operations is a stark reminder that our defenses need to evolve beyond simple signature matching or anomaly detection on isolated events.

This isn’t just a vulnerability; it’s a blueprint for sophisticated attacks that can unfold with a chilling degree of stealth. The good news? OpenClaw has acknowledged these issues and released version 2026.4.22, which addresses all four vulnerabilities. The bad news? The complexity of these chained exploits highlights a persistent cat-and-mouse game where attackers are constantly probing for architectural weaknesses that, when combined, can unlock devastating consequences.

🧬 Related Insights

Written by
Threat Digest Editorial Team

Curated insights, explainers, and analysis from the editorial team.

#claw-chain #openclaw #data-theft #persistence #privilege-escalation #vulnerabilities
More in Vulnerabilities & CVEs →

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by The Hacker News

Related Stories

📬

Stay in the loop

The week's most important stories from Threat Digest, delivered once a week.

No spam. Unsubscribe any time.