Cybersecurity researchers have disclosed four flaws in OpenClaw that could be chained to steal data, raise privileges and maintain persistence, with fixes released in version 2026.4.22.
KEY FACTS
- Set of flaws Four vulnerabilities were grouped under the name Claw Chain.
- Impact The issues could enable sandbox escape, file reading, command execution and owner-level control.
- Patched version OpenClaw says the problems were fixed in version 2026.4.22.
- Research credit Vladimir Tokarev was credited with finding and reporting the issues.
A technical analysis from Cyera said the flaws affect OpenClaw’s OpenShell managed sandbox backend and can be chained in a four-step attack. The company said an attacker could first gain code execution through a malicious plugin, prompt injection or compromised input, then use the remaining flaws to move toward data theft and persistence.
Two of the issues are time-of-check to time-of-use race conditions, tracked as CVE-2026-44112 and CVE-2026-44113. The report says one can let an attacker redirect writes outside the intended mount root, while the other can expose files outside that boundary.
The other flaws are CVE-2026-44115, an incomplete input allowlist check that can permit unapproved commands in a heredoc body, and CVE-2026-44118, an access control problem that could let a non-owner client impersonate an owner. OpenClaw said its fix changes the loopback runtime to issue separate owner and non-owner bearer tokens and no longer trusts the spoofable sender-owner header.
Cyera said successful exploitation of CVE-2026-44112 could allow tampering with configuration, planting backdoors and setting up persistent control. It also said CVE-2026-44113 could be used to read system files, credentials and internal artifacts.
WHY IT MATTERS
The disclosure shows how multiple bugs in an AI agent runtime can combine into a broader compromise that looks like normal system activity. OpenClaw users were advised to update to the latest version to reduce the risk of data loss, privilege escalation and persistent access.