"By weaponizing the agent's own privileges, an adversary moves through data access, privilege escalation, and persistence -- using the agent as their hands inside the environment," Cyera warned.
Summary: a four-flaw chain that turns an agent into an attacker’s tool
Cybersecurity researchers at Cyera have disclosed a cluster of four vulnerabilities in OpenClaw they call "Claw Chain." Together, the flaws can be chained to let an attacker gain a foothold inside an OpenClaw-managed environment, extract secrets and files, escalate privileges to owner level, and then plant backdoors for persistence. Cyera and OpenClaw followed responsible disclosure procedures; all four issues were fixed in OpenClaw version 2026.4.22, and security researcher Vladimir Tokarev is credited with reporting the flaws.
The four CVEs that compose Claw Chain
- CVE-2026-44112 (CVSS score: 9.6/6.3) — A time-of-check/time-of-use (TOCTOU) race condition in the OpenShell managed sandbox backend that enables attackers to bypass sandbox restrictions and redirect writes outside the intended mount root. Cyera said successful exploitation could allow tampering with configuration, planting backdoors, and establishing persistent control over the host.
- CVE-2026-44113 (CVSS score: 7.7/6.3) — A TOCTOU race condition in OpenShell that allows attackers to bypass sandbox restrictions and read files outside the intended mount root. Cyera warned this could be weaponized to read system files, credentials, and internal artifacts.
- CVE-2026-44115 (CVSS score: 8.8) — An incomplete list of disallowed inputs vulnerability that lets attackers bypass allowlist validation by embedding shell expansion tokens in a here document (heredoc) body, enabling execution of unapproved commands at runtime.
- CVE-2026-44118 (CVSS score: 7.8) — An improper access control vulnerability in which non-owner loopback clients can impersonate an owner to elevate privileges and gain control over gateway configuration, cron scheduling, and execution environment management.
How the exploitation chain unfolds, step by step
- Initial code execution: A malicious plugin, prompt injection, or compromised external input first gains code execution inside the OpenShell sandbox.
- Expose secrets: The attacker uses CVE-2026-44113 (read TOCTOU) together with CVE-2026-44115 (heredoc allowlist bypass) to extract credentials, secrets, and sensitive files from the environment.
- Privilege escalation to owner: The attacker exploits CVE-2026-44118 to obtain owner-level control of the agent runtime, enabling changes to gateway configuration and cron scheduling.
- Persistence and backdoors: Finally, CVE-2026-44112 is leveraged to redirect writes outside the mount root, allowing planting of backdoors and configuration changes that create persistent control.
Cyera summarized the operational risk plainly: "Each step looks like normal agent behavior to traditional controls, broadening blast radius and making detection significantly harder."
Technical root cause and the OpenClaw remediation
According to Cyera, the root cause of CVE-2026-44118 was that OpenClaw trusted a client-controlled ownership flag named senderIsOwner without validating it against the authenticated session. OpenClaw's advisory described the remediation: "The MCP loopback runtime now issues separate owner and non-owner bearer tokens and derives senderIsOwner exclusively from which token authenticated the request. The spoofable sender-owner header is no longer emitted or trusted." All four vulnerabilities were addressed in OpenClaw version 2026.4.22.
What this means for security teams, affected enterprises, and procurement leaders
- Security teams: Teams running OpenClaw should prioritize updating to version 2026.4.22. The chain described by Cyera combines data-exfiltration and privilege escalation with techniques that mimic legitimate agent behavior, so detection rules that rely on obvious anomalies may miss activity that uses the agent's own privileges.
- Affected enterprises: Organizations that deploy OpenShell sandboxes or OpenClaw agents need to inventory where those components run and assess whether any plugins or external inputs could reach OpenShell contexts; Cyera highlighted that a malicious plugin, prompt injection, or compromised external input is the initial vector in the chain.
- Procurement leaders: The disclosure underscores the importance of patch management in agent-driven products. OpenClaw's fix changed authentication handling for owner versus non-owner operations; buyers should request evidence that similar products do not expose client-controllable flags that can be spoofed and should require timely vendor patching and disclosure practices.
Conclusion
Claw Chain is notable less for a single catastrophic bug than for how its parts fit together: read and write TOCTOU flaws, an input-filter bypass, and an access-control trust in a client-supplied flag chain into a path from code execution to persistent owner control. The vendor patch in OpenClaw 2026.4.22 and the credited report by Vladimir Tokarev close the specific avenues described by Cyera, but the disclosure is a reminder of how agent privileges and subtle authentication assumptions can be turned into a complete compromise when an adversary "uses the agent as their hands inside the environment."




