OPENCLAW researchers disclosed four chainable flaws that could enable data theft, privilege escalation, and persistence, collectively dubbed Claw Chain by Cyera.
The vulnerabilities span CVE-2026-44112 (TOCTOU race condition in OpenShell that bypasses sandboxing and redirects writes outside the mount root), CVE-2026-44113 (TOCTOU race condition that allows reading files outside the mount root), CVE-2026-44115 (an incomplete allowlist that lets attackers embed shell expansion tokens in a heredoc to run unapproved commands), and
CVE-2026-44118 (improper access control enabling non-owner clients to impersonate an owner and control gateway configuration, cron, and the execution environment). Exploitation could see an attacker tamper with configuration, read credentials and sensitive files, obtain owner-level control, plant backdoors, and establish persistence, the chain unfolding through code execution inside the OpenShell sandbox, credential exposure, and then persistence via the agent runtime and configuration changes.
OpenClaw’s root cause was traced to a trusted, client-controlled senderIsOwner flag that was used without verifying the authenticated session; the advisory states the MCP loopback runtime now issues separate owner and non-owner tokens and no longer trusts the spoofable header, according to Cyera. Following disclosure, all four vulnerabilities have been addressed in OpenClaw version 2026.4.22, and security researcher Vladimir Tokarev has been credited with the discovery and reporting.