Cybersecurity researchers have uncovered a series of security flaws in **OpenClaw** that, when chained together, could lead to significant security breaches, including data theft, privilege escalation, and persistent access. **Claw Chain** Details Discovered by **Cyera**, the 'Claw Chain' vulnerabilities allow attackers to gain a foothold within the system, expose sensitive data, and plant backdoors. The vulnerabilities include: * **CVE-2026-44112** (CVSS score: 9.6/6.3): A time-of-check/time-of-use (TOCTOU) race condition vulnerability in the **OpenShell** managed sandbox backend. This flaw allows attackers to bypass sandbox restrictions and redirect writes outside the intended mount root. * **CVE-2026-44113** (CVSS score: 7.7/6.3): Another TOCTOU race condition vulnerability in **OpenShell**, enabling attackers to bypass sandbox restrictions and read files outside the intended mount root. * **CVE-2026-44115** (CVSS score: 8.8): An incomplete list of disallowed inputs vulnerability. Attackers can bypass allowlist validation by embedding shell expansion tokens in a here document (heredoc) body to execute unapproved commands at runtime. * **CVE-2026-44118** (CVSS score: 7.8): An improper access control vulnerability that could allow non-owner loopback clients to impersonate an owner to elevate their privileges and gain control over gateway configuration, cron scheduling, and execution environment management. Impact of Exploitation Successful exploitation of **CVE-2026-44112** could allow an attacker to tamper with configuration, plant backdoors, and establish persistent control over the compromised host. **CVE-2026-44113** could be leveraged to read system files, credentials, and internal artifacts. The exploitation chain involves the following steps: 1. A malicious plugin, prompt injection, or compromised external input gains code execution inside the **OpenShell** sandbox. 2. Leverage **CVE-2026-44113** and **CVE-2026-44115** to expose credentials, secrets, and sensitive files. 3. Exploit **CVE-2026-44118** to obtain owner-level control of the agent runtime. 4. Use **CVE-2026-44112** to plant backdoors or make configuration changes and set up persistence. Root Cause and Fixes According to **Cyera**, the root cause for **CVE-2026-44118** lies in **OpenClaw** trusting a client-controlled ownership flag called `senderIsOwner` without proper validation against the authenticated session. **OpenClaw** has addressed this issue by issuing separate owner and non-owner bearer tokens and deriving `senderIsOwner` exclusively from the token that authenticated the request. The spoofable `sender-owner` header is no longer emitted or trusted. Remediation All four vulnerabilities have been addressed in **OpenClaw** version 2026.4.22. Credit for discovering and reporting the issues is given to security researcher **Vladimir Tokarev**. Users are strongly advised to update to the latest version to mitigate potential threats. "By weaponizing the agent's own privileges, an adversary moves through data access, privilege escalation, and persistence -- using the agent as their hands inside the environment," **Cyera** stated. "Each step looks like normal agent behavior to traditional controls, broadening blast radius and making detection significantly harder."