Four Chained OpenClaw Flaws Give Attackers Everything: From Your Files to Full System Control
Researchers named it "Claw Chain" for good reason: four individually dangerous vulnerabilities in OpenClaw link together into a seamless attack path that ends with persistent, undetected control of a compromised host.
When cybersecurity firm Cyera set their researchers loose on OpenClaw, they came back with something worse than a single critical bug. They found four of them: and when strung together, those four flaws form a complete attack chain that can move an adversary from zero foothold to persistent, privileged control of a compromised system, all while looking, to most monitoring tools, like ordinary agent activity.
Cyera is calling the chain "Claw Chain," and the name is apt. Each vulnerability is a claw; together, they grip.
The Four Vulnerabilities at a Glance
All four flaws affect OpenClaw 2026.4.22 and earlier, specifically its OpenShell managed sandbox backend: the component responsible for executing and isolating agent tasks.
| CVE ID | CVSS Score | Type | What It Allows |
|---|---|---|---|
| CVE-2026-44112 | 9.6 Critical | TOCTOU Race Condition (Write) | Bypass sandbox restrictions and redirect file writes outside the intended mount root: enabling backdoor planting and config tampering. |
| CVE-2026-44113 | 7.7 High | TOCTOU Race Condition (Read) | Bypass sandbox restrictions and read files outside the intended mount root: exposing credentials, secrets, and system files. |
| CVE-2026-44115 | 8.8 High | Incomplete Input Allowlist | Embed shell expansion tokens inside a heredoc body to bypass command allowlist validation and execute unapproved commands at runtime. |
| CVE-2026-44118 | 7.8 High | Improper Access Control | Allow non-owner loopback clients to impersonate an owner, gaining control over gateway configuration, cron scheduling, and execution environment management. |
How the Attack Chain Unfolds
The power of Claw Chain isn't in any single CVE: it's in how they connect. Cyera mapped out a four-stage exploitation sequence that takes an attacker from initial code execution inside a sandbox all the way to a persistent backdoor that survives reboots and blends into normal agent behavior.
A malicious plugin, a prompt injection, or any compromised external input achieves code execution inside the OpenShell sandbox. This is the entry point: and it's more accessible than it sounds, since AI agents routinely process untrusted external data.
Using the read-based TOCTOU flaw (CVE-2026-44113) and the allowlist bypass (CVE-2026-44115), the attacker reads files outside the sandbox boundary: harvesting credentials, API secrets, SSH keys, and internal configuration artifacts before the sandbox can catch it.
The attacker exploits the access control flaw (CVE-2026-44118) to impersonate an owner-level client. This hands them control over the agent's gateway configuration, cron scheduling, and execution environment: effectively turning the agent into a tool they now direct.
Finally, the write-based TOCTOU flaw (CVE-2026-44112) is used to plant backdoors or alter configuration files outside the sandbox, ensuring the attacker retains access even after restarts or re-deployments.
The Root Cause of CVE-2026-44118: A Trusted Flag That Shouldn't Be
Of the four, CVE-2026-44118 has the most instructive underlying cause. The vulnerability exists because OpenClaw's loopback runtime was trusting a client-controlled flag: senderIsOwner: to determine whether a caller had owner-level permissions. The problem? That flag was set by the client itself, not derived from any authenticated session. Any non-owner loopback client could simply declare itself an owner and be believed.
By weaponizing the agent's own privileges, an adversary moves through data access, privilege escalation, and persistence: using the agent as their hands inside the environment. Each step looks like normal agent behavior to traditional controls, broadening the blast radius and making detection significantly harder.Cyera Research
The fix is straightforward in hindsight: the MCP loopback runtime now issues separate bearer tokens for owner and non-owner clients, and the senderIsOwner determination is derived exclusively from which token authenticated the request. The spoofable header is no longer emitted or trusted.
Why This Matters for AI Agent Security
OpenClaw is not a niche product. It's part of a growing class of agentic AI infrastructure that organizations are deploying to automate complex workflows: and which, by design, has elevated access to internal systems, credentials, and APIs. That's what makes Claw Chain particularly concerning.
Traditional security monitoring is built around the assumption that anomalous behavior looks anomalous. An agent reading config files, adjusting cron schedules, and writing to the filesystem doesn't look anomalous: that's just an agent doing its job. An attacker who has threaded through these four CVEs is doing all of those things too, just not for your benefit. The signal is buried in the noise.
This is a theme that will only become more urgent as AI agents become more embedded in enterprise infrastructure. The attack surface isn't a login page or a network edge: it's the runtime itself, running with full trust, doing exactly what it's told.