Four OpenClaw flaws let attackers steal data, escalate privileges, and plant backdoors through the agent’s own sandbox

Cybersecurity researchers at Cyera have disclosed four vulnerabilities in OpenClaw that, when chained together, allow an attacker to steal sensitive data, escalate privileges, and establish persistent control over a compromised host. The flaws, collectively dubbed “Claw Chain,” affect OpenClaw’s OpenShell managed sandbox backend and its MCP loopback runtime. All four have been patched in OpenClaw version 2026.4.22.

The attack chain works in four stages. First, a malicious plugin, prompt injection, or compromised external input gains code execution inside the OpenShell sandbox. Second, two of the vulnerabilities, CVE-2026-44113 and CVE-2026-44115, are exploited to expose credentials, secrets, and sensitive files. Third, CVE-2026-44118 is used to obtain owner-level control of the agent runtime by exploiting an improperly validated ownership flag. Fourth, CVE-2026-44112, the most severe of the four with a CVSS score of 9.6, is used to plant backdoors, modify configuration, and establish persistence outside the sandbox.

The most architecturally interesting flaw is CVE-2026-44118, which stems from OpenClaw trusting a client-controlled flag called senderIsOwner without validating it against the authenticated session. Any non-owner loopback client could impersonate an owner and gain control over gateway configuration, cron scheduling, and execution environment management. The fix, according to OpenClaw’s advisory, involves issuing separate owner and non-owner bearer tokens, with senderIsOwner now derived exclusively from the authenticating token rather than from a spoofable header.

The two TOCTOU (time-of-check/time-of-use) race conditions, CVE-2026-44112 and CVE-2026-44113, allow attackers to bypass sandbox restrictions and redirect file writes or reads outside the intended mount root. CVE-2026-44115 exploits an incomplete allowlist by embedding shell expansion tokens inside a heredoc body, enabling execution of commands that would otherwise be blocked at runtime.

What makes Claw Chain particularly concerning is that each step looks like normal agent behaviour to traditional security controls. “By weaponizing the agent’s own privileges, an adversary moves through data access, privilege escalation, and persistence, using the agent as their hands inside the environment,” Cyera said. The attack broadens blast radius while making detection significantly harder, because the malicious actions are indistinguishable from the legitimate operations the agent is designed to perform.

This is not the first time OpenClaw’s security has come under scrutiny. In January, a critical remote code execution vulnerability (CVE-2026-25253) allowed any website a user visited to silently connect to the agent’s local server through an unvalidated WebSocket, chaining a cross-site hijack into full code execution. A Koi Security audit of ClawHub, OpenClaw’s skill marketplace, found 341 malicious entries out of 2,857 available skills, with attacks designed to steal credentials, open reverse shells, and hijack agents for cryptocurrency mining.

Nvidia addressed some of these structural security concerns in March with NemoClaw, an enterprise layer that adds sandbox orchestration, privacy guardrails, and security hardening on top of OpenClaw. The product was built in partnership with Cisco, CrowdStrike, Google, and Microsoft Security. But NemoClaw operates at the infrastructure level, not the application level, and the Claw Chain vulnerabilities sit inside OpenClaw’s own sandbox implementation, meaning even NemoClaw-hardened deployments would have been affected before the patch.

The scale of the exposure is significant. OpenClaw has more than 3.2 million users, is integrated with ChatGPT subscriptions through OpenAI, and has been adopted as an enterprise platform by Nvidia (NemoClaw) and Tencent (ClawPro). A significant portion of the installed base is running older, unpatched versions, and attackers have been targeting known vulnerabilities in versions prior to 2026.1.30 since at least February.

Security researcher Vladimir Tokarev has been credited with discovering and reporting the issues. Users are advised to update to version 2026.4.22 immediately. The broader lesson is one the AI agent industry has been slow to internalise: when an autonomous agent has access to files, credentials, APIs, and network resources, compromising the agent is functionally equivalent to compromising the user. Traditional perimeter security was not designed for a world in which the most privileged entity inside the environment is software that executes instructions from external sources.

Claw Chain is unlikely to be the last vulnerability disclosure of this kind. It may, however, be the one that forces the industry to treat AI agent security with the same rigour it applies to operating systems and cloud infrastructure, rather than as an afterthought bolted onto a product that was never designed to be this important.