SECURITY researchers have disclosed four new vulnerabilities in the OpenClaw framework, which attackers can chain to gain initial access, steal credentials, escalate privileges, and establish persistent backdoor access. The flaws, dubbed “Claw Chain” by Cyera, affect all OpenClaw versions released before 23 April 2026 (2026.4.22), and have been patched by the maintainers after Cyera’s report last month.
The most severe flaw, CVE-2026-44112, carries a CVSS of 9.6 and stems from a time-of-check/time-of-use race condition in OpenShell’s sandbox, enabling modification of system configuration files, backdoor drops, and persistent, system‑level control.
Next is CVE-2026-44115 (CVSS 8.8), a logic flaw that can expose API keys, tokens and other sensitive data; the remaining two, CVE-2026-44118 and CVE-2026-44113 (both CVSS 7.8), involve a privilege escalation tied to improper session validation and another TOCTOU vulnerability allowing improper access to internal data. Cyera described the combined impact as enabling an attacker to chain three vulnerabilities from a single entry point, potentially starting with a malicious plug‑in or manipulated prompt.
OpenClaw is designed to run AI assistants locally, but the vulnerabilities exploit its own privileges and legitimate capabilities, making malicious activity harder to detect with conventional tools.