The Claw Chain: Chaining TOCTOU and Access Control Bypasses to Weaponize OpenClaw AI Agents

Cybersecurity researchers have identified four critical security vulnerabilities in OpenClaw, collectively named Claw Chain, which pose significant risks such as data theft, privilege escalation, and persistent unauthorized access. These vulnerabilities, discovered by Cyera, can be exploited in a sequence to allow attackers to gain a foothold, access sensitive data, and install backdoors within the system. The flaws have been assigned CVE identifiers and vary in severity, with CVSS scores indicating their potential impact. The first vulnerability, CVE-2026-44112, is a time-of-check/time-of-use (TOCTOU) race condition in the OpenShell managed sandbox backend. This flaw allows attackers to bypass sandbox restrictions and redirect writes outside the intended mount root, potentially leading to configuration tampering and persistent control over the host. It has a CVSS score of 9.6/6.3, indicating a high level of risk. The second flaw, CVE-2026-44113, also involves a TOCTOU race condition in OpenShell. This vulnerability permits attackers to read files outside the intended mount root, exposing system files, credentials, and internal artifacts. With a CVSS score of 7.7/6.3, it poses a significant threat to data confidentiality. CVE-2026-44115 is another critical vulnerability that involves an incomplete list of disallowed inputs. Attackers can bypass allowlist validation by embedding shell expansion tokens in a here document (heredoc) body, enabling the execution of unauthorized commands at runtime. This flaw has a CVSS score of 8.8, highlighting its potential for misuse. The final vulnerability, CVE-2026-44118, concerns improper access control, allowing non-owner loopback clients to impersonate an owner. This flaw can lead to privilege escalation, granting attackers control over gateway configuration, cron scheduling, and execution environment management. It has a CVSS score of 7.8, emphasizing the risk of unauthorized access and control. The exploitation of these vulnerabilities follows a four-step process, starting with code execution inside the OpenShell sandbox through malicious plugins or compromised inputs. Attackers then leverage CVE-2026-44113 and CVE-2026-44115 to access sensitive data, followed by exploiting CVE-2026-44118 to gain owner-level control. Finally, CVE-2026-44112 is used to establish persistence by planting backdoors or altering configurations. Cyera identified the root cause of CVE-2026-44118 as OpenClaw's reliance on a client-controlled ownership flag, senderIsOwner, without proper validation. In response, OpenClaw has implemented fixes, including issuing separate owner and non-owner bearer tokens and deriving senderIsOwner from authenticated tokens. These changes prevent the spoofing of the sender-owner header. Following responsible disclosure, OpenClaw has addressed all four vulnerabilities in version 2026.4.22. Security researcher Vladimir Tokarev has been credited with discovering these issues. Users are strongly advised to update to the latest version to protect against potential threats, as these vulnerabilities can significantly broaden the attack surface and complicate detection efforts.