Four OpenClaw Flaws Enable Data Theft, Privilege Escalation, and Persistence Ravie Lakshmanan May 15, 2026 Vulnerability / AI Security Cybersecurity researchers have disclosed a set of four security flaws in OpenClaw that could be chained to achieve data theft, privilege escalation, and persistence. The vulnerabilities, collectively dubbed Claw Chain by Cyera, can permit an attacker to establish a foothold, expose sensitive data, and plant backdoors.
A brief description of the flaws is below - CVE-2026-44112 (CVSS score: 9.6/6.3) - A time-of-check/time-of-use (TOCTOU) race condition vulnerability in the OpenShell managed sandbox backend that allows attackers to bypass sandbox restrictions and redirect writes outside the intended mount root. CVE-2026-44113 (CVSS score: 7.7/6.3) - A TOCTOU race condition vulnerability in OpenShell that allows attackers to bypass sandbox restrictions and read files outside the intended mount root.
CVE-2026-44115 (CVSS score: 8.8) - An incomplete list of disallowed inputs vulnerability that allows attackers to bypass allowlist validation by embedding shell expansion tokens in a here document (heredoc) body to execute unapproved commands at runtime. CVE-2026-44118 (CVSS score: 7.8) - An improper access control vulnerability that could allow non-owner loopback clients to impersonate an owner to elevate their privileges and gain control over gateway configuration, cron scheduling, and execution environment management.
Cyera said successful exploitation of CVE-2026-44112 could allow an attacker to tamper with configuration, plant backdoors, and establish persistent control over the compromised host, whereas CVE-2026-44113 could be weaponized to read system files, credentials, and internal artifacts. The exploitation chain unfolds over four steps - A malicious plugin, prompt injection, or compromised external input gains code execution inside the OpenShell sandbox.
Leverage CVE-2026-44113 and CVE-2026-44115 to expose credentials, secrets, and sensitive files. Exploit CVE-2026-44118 to obtain owner-level control of the agent runtime. Use CVE-2026-44112 to plant backdoors or make configuration changes and set up persistence. The root cause for CVE-2026-44118, per the cybersecurity company, stems from the fact that OpenClaw trusts a client-controlled ownership flag called senderIsOwner, which signals whether the caller is authorized for owner-only tools, without validating it against the authenticated session. "The MCP loopback runtime now issues separate owner and non-owner bearer tokens and derives senderIsOwner exclusively from which token authenticated the request," OpenClaw detailed the fixes in an advisory for the flaw. "The spoofable sender-owner header is no longer emitted or trusted." Following responsible disclosure, all four vulnerabilities have been addressed in OpenClaw version 2026.4.22.
Security researcher Vladimir Tokarev has been credited with discovering and reporting the issues. Users are advised to update to the latest version to stay protected against potential threats. "By weaponizing the agent's own privileges, an adversary moves through data access, privilege escalation, and persistence -- using the agent as their hands inside the environment," Cyera said. "Each step looks like normal agent behavior to traditional controls, broadening blast radius and making detection significantly harder." Found this article interesting?
Follow us on Google News , Twitter LinkedIn to read more exclusive content we post. Tweet Share Share Share cybersecurity , data theft , OpenClaw , OpenShell , privilege escalation , Sandbox Escape , Vulnerability ⚡ Top Stories This Week 30,000 Facebook Accounts Hacked via Google AppSheet Phishing Campaign Trellix Confirms Source Code Breach With Unauthorized Repository Access ⚡ Weekly Recap: AI-Powered Phishing, Android Spying Tool, Linux Exploit, GitHub RCE and More Progress Patches Critical MOVEit Automation Bug Enabling Authentication Bypass Microsoft Details Phishing Campaign Targeting 35,000 Users Across 26 Countries Critical Apache HTTP/2 Flaw (CVE-2026-23918) Enables DoS and Potential RCE Palo Alto PAN-OS Flaw Under Active Exploitation Enables Remote Code Execution The Hacker News Launches 'Cybersecurity Stars Awards 2026' — Submissions Now Open ThreatsDay Bulletin: Edge Plaintext Passwords, ICS 0-Days, Patch-or-Die Alerts and 25+ New Stories PAN-OS RCE Exploit Under Active Use Enabling Root Access and Espionage Linux Kernel Dirty Frag LPE Exploit Enables Root Access Across Major Distributions New Linux PamDOORa Backdoor Uses PAM Modules to Steal SSH Credentials Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise 2026: The Year of AI-Assisted Attacks Day Zero Readiness: The Operational Gaps That Break Incident Response We Scanned 1 Million Exposed AI Services.
Here's How Bad the Security Actually Is ⭐ Featured Resources [Webinar] Learn How Autonomous Validation Keeps Pace With AI Attacks [Guide] Get Practical AI SOC Insights to Improve Threat Detection [Demo] Discover How to Control Autonomous Identity Risks Effectively [Demo] Stop Email Attacks and Protect Cloud Workspace Data Faster Cybersecurity Webinars Building Stronger Defenses Stop Patient Zero Attacks Before They Bypass Detection Learn how to stop patient zero attacks before they bypass detection and compromise your systems at entry points.
Register Reduce AppSec Risk Validate Real Attack Paths Before Attackers Exploit Them Learn how to validate real attack paths and reduce exploitable risk with continuous agentic security validation. ⚡ Latest News Cybersecurity Resources Build Security Strategy That Earns Executive Buy-In — SANS LDR514, NYC SANS LDR514 in NYC, Aug 10–15: policy, risk frameworks, board communication, and strategic leadership.
Your VPN is Helping Attackers Move as Fast as AI AI collapsed human response window and turned remote access into fastest path to breach. Earn a Master's in Cybersecurity Risk Management Lead the future of cybersecurity risk management with an online Master’s from Georgetown. Expert Insights Articles Videos From Phishing to Recovery: Breaking the Ransomware Attack Chain May 04, 2026 Read ➝ Mythos is Coming: What the Next Six Months Require Your Biggest Security Risk Isn’t Malware — It's What You Already Trust CTM360 Exposes Global GovTrap Campaign With 11,000+ Fake Government Portals Targeting Citizens Worldwide April 27, 2026 Get the Latest News in Your Inbox Get the latest news, expert insights, exclusive resources, and strategies from industry leaders, all for free.