FOUR vulnerabilities in the OpenClaw AI assistant have been linked in a chainable set named Claw Chain, capable of escaping the sandbox and delivering backdoors, security firm Cyera warns. The four flaws can be exploited in sequence to move from prompt injections and malicious input to reading files outside the mount root, executing unapproved commands, and ultimately gaining owner-level privileges to configure and orchestrate execution.
Cyera notes a race condition exists (CVE-2026-44113) to read outside the sandbox, an exec allowlist analysis bug (CVE-2026-44115) to run unapproved commands, an MCP loopback flaw (CVE-2026-44118) to elevate privileges, and a critical race condition in the OpenShell sandbox (CVE-2026-44112, CVSS 9.6) to write data beyond the sandbox boundary.
The firm says there are over 60,000 publicly accessible OpenClaw instances, with attackers potentially accessing environment variables, tokens, and other sensitive data through the chain. All four vulnerabilities were reported to OpenClaw’s maintainers on 22 April and patches were rolled out the next day, according to SecurityWeek.