Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence

Cybersecurity researchers at Cyera have unveiled a critical set of four vulnerabilities, collectively dubbed "Claw Chain," impacting the OpenClaw ecosystem. These flaws, identified as CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118, can be chained together to facilitate data theft, achieve privilege escalation, and establish persistent control over compromised OpenClaw instances. The primary targets include the OpenShell managed sandbox backend and the gateway's configuration and execution environment management.

The "Claw Chain" comprises two time-of-check/time-of-use (TOCTOU) race conditions (CVE-2026-44112, -44113) in OpenShell, allowing sandbox bypass for arbitrary writes and reads, respectively. CVE-2026-44115 is an incomplete allowlist bypass that permits unapproved command execution via shell expansion tokens within heredocs. The final flaw, CVE-2026-44118, is an improper access control vulnerability where non-owner loopback clients could impersonate owners by spoofing a `senderIsOwner` flag, a flaw now mitigated by separate owner/non-owner bearer tokens in OpenClaw version 2026.4.22.

These vulnerabilities carry significant implications for the OpenClaw ecosystem, particularly for agentic AI frameworks and multi-agent systems that rely on its security primitives. The ability to bypass sandboxing, execute arbitrary commands, and gain owner-level control fundamentally undermines the isolation and trust models essential for secure agent operations. This disclosure underscores the critical need for rigorous security auditing and robust design in agent runtime environments, especially concerning inter-agent communication and privilege management.

This signal demands immediate attention from several key stakeholders. Developers leveraging OpenClaw must