Overview
Cybersecurity firm Cyera has disclosed four security vulnerabilities in OpenClaw, an AI agent runtime platform, that can be chained into a full attack sequence enabling credential theft, privilege escalation, and persistent backdoor installation. Collectively named Claw Chain, the vulnerability set is particularly significant because it exploits the trust model baked into AI agent execution environments — turning the agent’s own runtime privileges against the host system.
All four CVEs were responsibly disclosed and have been patched in OpenClaw version 2026.4.22.
Technical Analysis
The four vulnerabilities span different layers of the OpenClaw stack:
CVE-2026-44112 (CVSS 9.6) — A TOCTOU race condition in the OpenShell managed sandbox backend. An attacker can race the check-use window to redirect filesystem writes outside the intended mount root, enabling backdoor planting and configuration tampering.
CVE-2026-44113 (CVSS 7.7) — A companion TOCTOU flaw allowing reads outside the sandbox mount root, exposing system files, credentials, and internal secrets.
CVE-2026-44115 (CVSS 8.8) — An incomplete disallowed-inputs list that allows shell expansion tokens embedded within heredoc bodies to slip past allowlist validation, executing unapproved commands at runtime.
CVE-2026-44118 (CVSS 7.8) — An improper access control flaw in the MCP loopback runtime. OpenClaw trusted a client-controlled flag (
senderIsOwner) to determine owner-level access without validating it against the authenticated session. A non-owner client could spoof this flag to gain full control over gateway configuration, cron scheduling, and execution environment management.
The exploitation chain follows four stages:
- Initial code execution via malicious plugin, prompt injection, or compromised external input inside the OpenShell sandbox.
- Leverage CVE-2026-44113 and CVE-2026-44115 to exfiltrate credentials, secrets, and sensitive files.
- Exploit CVE-2026-44118 to escalate to owner-level agent runtime control.
- Use CVE-2026-44112 to plant backdoors and establish persistence.
Framework Mapping
| Framework | Technique | Rationale |
|---|---|---|
| ATLAS AML.T0051 | LLM Prompt Injection | Initial foothold vector via injected agent inputs |
| ATLAS AML.T0057 | LLM Data Leakage | CVE-2026-44113 exposes credentials and internal artifacts |
| ATLAS AML.T0018 | Backdoor ML Model | CVE-2026-44112 enables persistent backdoor planting |
| ATLAS AML.T0012 | Valid Accounts | CVE-2026-44118 exploits trusted identity flags |
| OWASP LLM07 | Insecure Plugin Design | Malicious plugin as initial entry point |
| OWASP LLM08 | Excessive Agency | Agent runtime privileges weaponised against the host |
| OWASP LLM06 | Sensitive Information Disclosure | Credential and secrets exfiltration via sandbox escape |
Impact Assessment
Organisations running OpenClaw-backed AI agents in production environments are at risk of complete runtime compromise. The severity is elevated by the chained nature of the flaws — each step amplifies the next, moving from limited sandbox access to persistent host-level control. Environments where agents have access to secrets stores, internal APIs, or scheduling systems face the highest exposure.
Mitigation & Recommendations
- Patch immediately: Upgrade to OpenClaw version 2026.4.22, which issues separate owner/non-owner bearer tokens and eliminates the spoofable
senderIsOwnerheader. - Audit plugin inputs: Review all registered agent plugins and external input sources for signs of injection or tampering.
- Restrict agent privileges: Apply least-privilege principles to agent runtime environments; limit filesystem and scheduling access.
- Monitor for anomalous agent behaviour: Set alerts on unexpected file access patterns or configuration changes initiated by agent processes.