Claw Chain: four OpenClaw CVEs that turn an AI agent into the attacker's hands
Disclosed May 15, 2026, Cyera Research's Claw Chain chains four patched OpenClaw flaws — sandbox escape, env-var disclosure, MCP loopback EoP, symlink read escape — into full host takeover via the agent itself.
What is this?
On May 15, 2026, Cyera Research published Claw Chain, the public write-up for four chainable vulnerabilities in OpenClaw — one of the fastest-growing open-source platforms for autonomous AI agents. The four findings (CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, CVE-2026-44118) were reported in April 2026 and patched in OpenClaw release 2026.4.22 on April 23, 2026, three weeks before the public disclosure. Patches map to GitHub Security Advisories GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh and GHSA-x3h8-jrgh-p8jx.
The CVEs are individually painful — the highest scores 9.6 (CRITICAL) — but the editorial point is the chain. From a single foothold gained through prompt injection, a malicious plugin or a poisoned upstream input, an attacker walks straight to host-level persistence using the agent’s own privileges. Cyera reports roughly 65,000 (Shodan) to 180,000 (Zoomeye) publicly reachable OpenClaw instances at the time of disclosure.
How it works
OpenClaw connects an LLM to filesystems, SaaS apps, credentials and an execution sandbox called OpenShell. Each of the four flaws weakens a specific guarantee that the rest of the runtime assumes:
- CVE-2026-44112 — TOCTOU filesystem write escape (CVSS 9.6). A time-of-check / time-of-use race on OpenShell lets attackers redirect a validated write to a path outside the sandbox after the check has passed.
- CVE-2026-44115 — Execution allowlist env-var disclosure (CVSS 8.8). Commands cleared by the validator are re-expanded by the shell inside unquoted heredocs, leaking environment variables — API keys, bearer tokens, secrets — through a command that looked safe at validation time.
- CVE-2026-44118 — MCP loopback privilege escalation (CVSS 7.8). The MCP gateway trusts a client-controlled
senderIsOwnerflag without checking it against the authenticated session. A local process with a valid bearer token elevates itself to owner. - CVE-2026-44113 — TOCTOU filesystem read escape (CVSS 7.7). The same race pattern on reads: swap a validated path for a symlink and the agent reads files it was never meant to touch.
Cyera describes the chain in four steps. Step 1 is foothold: code execution inside OpenShell via plugin, prompt injection, or poisoned input. Step 2 is exfiltration — CVE-2026-44113 plus CVE-2026-44115 dump secrets and reachable files. Step 3 is privilege escalation through CVE-2026-44118 to owner-level control of the gateway, cron and execution environment. Step 4 is persistence via CVE-2026-44112: backdoors are written outside the sandbox and survive restarts.
# Conceptual chain — illustrative, not exploit code
foothold := plugin | prompt_injection | poisoned_input
exfiltrate := read_escape (CVE-44113) + env_leak (CVE-44115)
escalate := senderIsOwner = true (CVE-44118)
persist := write_escape (CVE-44112) → backdoor outside sandboxWhy it matters
Three lessons land harder than any single CVE.
First, the agent is the lateral-movement primitive. Each step in Claw Chain looks like normal agent activity to perimeter and EDR tools. The runtime is doing what it was built to do — read files, run commands, schedule jobs — only the inputs are hostile. There is no exotic exploit signature to catch.
Second, TOCTOU is back, dressed as an agent sandbox. Two of four CVEs are classic race conditions on path validation, a pattern infosec has chased for thirty years. The novelty is the threat model: a non-human, non-stop caller (the LLM) generates filesystem operations at machine speed, narrowing the time-of-check / time-of-use window and producing ideal conditions for the race.
Third, MCP trust boundaries are now a real attack surface. CVE-2026-44118 treats a client claim as ground truth. Any framework that exposes an MCP-style local gateway inherits this exact failure mode unless every privileged bit is bound to a server-side session, not to a flag the caller sends.
Defenses
Concrete actions that follow from the disclosure.
If you run OpenClaw, apply the 2026.4.22 release and the four GitHub advisories listed above. Treat every secret reachable by the agent runtime as potentially exposed during the window before the patch: rotate API keys, bearer tokens and credentials that lived in environment variables of OpenShell processes. Inventory internet-facing instances — Shodan reported roughly 65,000 — and put them behind authentication and network controls.
For any agent runtime, drop client-supplied authorization flags from the trust boundary. Bind owner, role and tenant strictly to the authenticated session on the server. The senderIsOwner pattern is the agentic equivalent of trusting a ?admin=true URL parameter.
Quote and isolate environment expansion in shell invocations. A validator that approves a command string but does not control how the shell expands variables inside heredocs is providing the illusion of an allowlist. Either deny ${...} and $VAR expansion at the validator level, or refuse heredocs entirely in agent-issued commands.
Eliminate the TOCTOU window. Open the file descriptor once, validate the inode via fstat on that descriptor, then operate on the descriptor — never re-open by path. Refuse symlinks crossing the sandbox root with O_NOFOLLOW and openat2 resolution flags.
Finally, treat the agent as a privileged identity, not a tool. Scope what data, credentials and SaaS systems it can reach to the minimum useful set. Segment its network. Log per-plugin and per-prompt activity to an out-of-band sink so a compromised runtime cannot rewrite its own audit trail.
Status
| Item | Detail |
|---|---|
| CVEs | CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, CVE-2026-44118 |
| Highest CVSS | 9.6 (CRITICAL) — CVE-2026-44112 |
| Disclosed to maintainers | April 2026 |
| Fix | OpenClaw 2026.4.22 — April 23, 2026 |
| Public write-up | May 15, 2026 (Cyera Research) |
| Affected versions | All releases prior to 2026.4.22 |
| Exposed instances | ~65,000 (Shodan) · ~180,000 (Zoomeye) |
| GHSAs | GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, GHSA-x3h8-jrgh-p8jx |
| Reporter | Cyera Research |
Sources
- → https://www.cyera.com/blog/claw-chain-cyera-research-unveil-four-chainable-vulnerabilities-in-openclaw
- → https://thehackernews.com/2026/05/four-openclaw-flaws-enable-data-theft.html
- → https://www.darkreading.com/application-security/claw-chain-vulnerabilities-threaten-openclaw
- → https://www.esecurityplanet.com/threats/openclaw-vulnerabilities-could-enable-full-ai-agent-takeover/
- → https://www.bankinfosecurity.com/patched-openclaw-flaw-let-hackers-hijack-ai-agents-a-31720
- → https://cybersecuritynews.com/openclaw-chain-vulnerabilities/