Executive Summary
A coordinated set of four critical vulnerabilities, collectively known as the Claw Chain, has been identified in the OpenClaw agent platform. These flaws—CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118—can be chained by adversaries to facilitate data theft, privilege escalation, and persistent unauthorized access to affected systems. The vulnerabilities impact core components of OpenClaw, including its sandboxing, authentication, and command validation mechanisms. Exploitation in the wild has been confirmed by multiple independent sources, and the attack chain is sophisticated, leveraging normal agent behaviors to evade detection. Immediate remediation is strongly advised for all organizations utilizing OpenClaw.
Technical Information
The Claw Chain comprises four distinct but chainable vulnerabilities within the OpenClaw platform. Each flaw targets a different aspect of the agent’s security model, and when exploited in sequence, they enable a full compromise of confidentiality, integrity, and availability.
The first vulnerability, CVE-2026-44112, is a time-of-check/time-of-use (TOCTOU) race condition in the OpenShell managed sandbox backend. This flaw allows an attacker to bypass sandbox restrictions and redirect file writes outside the intended mount root. By exploiting this, adversaries can tamper with agent configuration files, plant persistent backdoors, and modify system settings, effectively establishing long-term control over the compromised host.
The second vulnerability, CVE-2026-44113, is another TOCTOU race condition, this time enabling attackers to read files outside the sandbox’s intended boundaries. This can be weaponized to exfiltrate sensitive system files, credentials, and internal artifacts, providing the attacker with the necessary information to further escalate privileges or move laterally within the environment.
The third vulnerability, CVE-2026-44115, arises from an incomplete list of disallowed inputs in the shell allowlist validation logic. Attackers can bypass command allowlisting by embedding shell expansion tokens within a heredoc body, causing the agent to execute unapproved commands at runtime. This undermines the integrity of the command execution environment and can be used to run arbitrary code with the agent’s privileges.
The fourth vulnerability, CVE-2026-44118, is an improper access control issue in the loopback client authentication mechanism. Non-owner loopback clients can impersonate an owner by manipulating a client-controlled ownership flag (senderIsOwner), which was not properly validated against the authenticated session. This enables privilege escalation, allowing attackers to gain control over gateway configuration, cron scheduling, and execution environment management.
The exploitation chain typically begins with initial access via a malicious plugin, prompt injection, or compromised external input, granting code execution within the OpenShell sandbox. The attacker then leverages CVE-2026-44113 and CVE-2026-44115 to access credentials and sensitive files, followed by CVE-2026-44118 to escalate privileges to owner-level control. Finally, CVE-2026-44112 is used to establish persistence by modifying configurations or planting backdoors.
The technical sophistication of this attack chain is notable. Each step mimics legitimate agent behavior, making detection by traditional security controls challenging. The vulnerabilities exploit fundamental trust boundaries within OpenClaw, highlighting the need for robust identity validation, strict sandbox enforcement, and comprehensive input validation in automation platforms.
Exploitation in the Wild
Multiple sources, including The Hacker News, Reddit, and LinkedIn, have confirmed active exploitation of the Claw Chain vulnerabilities in the wild. Attackers have been observed chaining these flaws to move laterally within networks, escalate privileges, and maintain persistent access. The tactics, techniques, and procedures (TTPs) employed often blend seamlessly with normal agent operations, complicating detection and response efforts.
Reported breaches indicate that attackers are leveraging the vulnerabilities to exfiltrate sensitive data, create unauthorized scheduled tasks, and deploy persistent malware. The exploitation chain is particularly dangerous because it does not rely on a single point of failure; instead, it systematically undermines multiple layers of the agent’s security architecture.
No public proof-of-concept exploit code has been released as of this report, but detailed technical descriptions and attack scenarios have been published by security researchers at Cyera and SentinelOne. The absence of public exploit code does not diminish the risk, as sophisticated threat actors have already demonstrated the ability to weaponize these vulnerabilities.
APT Groups using this vulnerability
As of the latest public reporting, no specific advanced persistent threat (APT) group has been formally attributed to the exploitation of the Claw Chain vulnerabilities. However, the complexity and stealth of the attack chain align with tactics commonly observed in operations conducted by advanced threat actors. The ability to chain multiple vulnerabilities, evade detection, and establish persistence suggests that nation-state or highly skilled criminal groups may be leveraging these flaws. Security teams should remain vigilant for indicators of compromise associated with APT activity, even in the absence of direct attribution.
Affected Product Versions
All versions of OpenClaw released prior to April 23, 2026, are affected by the Claw Chain vulnerabilities. This includes every release from the initial launch of OpenClaw (formerly known as "Clawdbot") up to and including any version published before the release of version 2026.4.22. The vulnerabilities have been comprehensively patched in OpenClaw version 2026.4.22 and all subsequent releases.
Organizations running any version of OpenClaw prior to 2026.4.22 are at risk and must upgrade immediately to mitigate exposure.
Workaround and Mitigation
The primary remediation is to upgrade all OpenClaw deployments to version 2026.4.22 or later. This release addresses all four vulnerabilities by implementing robust sandbox enforcement, correcting input validation logic, and overhauling the authentication mechanism to eliminate trust in client-controlled ownership flags. The MCP loopback runtime now issues distinct owner and non-owner bearer tokens, and the spoofable sender-owner header is no longer accepted.
In addition to patching, organizations should conduct a thorough audit of agent logs for signs of suspicious activity, such as unexpected configuration changes, unauthorized file access, or the creation of new scheduled tasks. Runtime monitoring should be enhanced to detect anomalous agent behaviors, and identity and trust boundaries within automation systems should be strengthened.
Strategically, organizations are advised to treat agent platforms as potential attack vectors and to implement layered defenses that include runtime behavioral analytics, strict privilege separation, and continuous validation of agent actions.
References
The following sources provide additional technical details and context regarding the Claw Chain vulnerabilities:
The Hacker News: Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence, Cyera Research, Reddit: OpenClaw Vulnerabilities Enable Data Theft and Elevated Privileges, SentinelOne: CVE-2026-44118 OpenClaw Privilege Escalation, LinkedIn: OpenClaw Flaws Post, NVD: CVE-2026-44112, NVD: CVE-2026-44113, NVD: CVE-2026-44115, NVD: CVE-2026-44118.
Rescana is here for you
Rescana is committed to helping organizations navigate the evolving threat landscape. Our third-party risk management (TPRM) platform empowers security teams to identify, assess, and mitigate risks across their digital supply chain. We continuously monitor emerging vulnerabilities and provide actionable intelligence to support your security operations. If you have questions about this advisory or require assistance with incident response, our experts are ready to help. Please contact us at ops@rescana.com.
