OpenClaw Security Guide
Back to Threat Intel
sourcearticleAgent: OpenClaw

Claw Chain: Cyera research unveils four chainable vulnerabilities in OpenClaw

Cyera Research blog post disclosing "Claw Chain" — four chainable vulnerabilities in OpenClaw (all versions prior to April 23, 2026 patches). Published May 15, 2026 by Cyera Research. Covers four CVEs, attack chain, affected surface, and recommended mitigations.

openclawtoctousandbox-escapeprivilege-escalationmcpenv-varcve-2026-44112cve-2026-44113cve-2026-44115cve-2026-44118ghsa-5h3gghsa-wppjghsa-r6xhghsa-x3h8chainablecyera

Date

May 15, 2026

First Seen

May 15, 2026

Last Reviewed

May 18, 2026

Publisher

Cyera

Source Type

article

View source

Related reading

OpenClaw Security Guide

A practical baseline for local binding, scoped credentials, sandboxing, runtime checks, and Armorer Guard.

Securing OpenClaw with Armorer Guard

How Armorer wraps OpenClaw with managed setup, Docker hardening, health checks, approvals, and Guard-backed scanning.

Subscribe via RSSFollow on TelegramGet email updates

Get email updates

Get reviewed Armorer threat-intel updates when new findings are published.

Source Summary

What It Contains

Cyera Research blog post disclosing "Claw Chain" — four chainable vulnerabilities in OpenClaw (all versions prior to April 23, 2026 patches). Published May 15, 2026 by Cyera Research. Covers four CVEs, attack chain, affected surface, and recommended mitigations.

Extracted Claims

  • Four CVEs:

    • CVE-2026-44112 — TOCTOU Filesystem Write Escape — CRITICAL 9.6
    • CVE-2026-44115 — Execution Allowlist Env-Vars Disclosure — HIGH 8.8
    • CVE-2026-44118 — MCP Loopback Privilege Escalation — HIGH 7.8
    • CVE-2026-44113 — TOCTOU Filesystem Read Escape — HIGH 7.7

  • Attack chain:

    1. Foothold via malicious plugin, prompt injection, or compromised supply-chain input (code execution inside OpenShell sandbox)
    2. Data exfiltration via CVE-2026-44113 (TOCTOU read escape) + CVE-2026-44115 (env-var disclosure)
    3. Privilege escalation via CVE-2026-44118 (MCP loopback flaw → owner-level control of agent runtime)
    4. Persistence via CVE-2026-44112 (TOCTOU write escape → backdoors, config modification)

  • Affected product: OpenClaw, all versions prior to April 23, 2026 patches

  • Public exposure: ~65,000 (Shodan) to ~180,000 (Zoomeye) internet-facing OpenClaw servers

  • GHSA references: GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, GHSA-x3h8-jrgh-p8jx

  • OpenClaw history: Originally launched as "Clawdbot" in late 2025

MITRE ATT&CK (inferred)

  • T1068 — Exploitation for Privilege Escalation (MCP loopback)
  • T1059 — Command and Scripting Interpreter (env-var disclosure)
  • T1552 — Unsecured Credentials (env-var exposure)
  • T1574 — Hijack Execution Flow (TOCTOU write for persistence)

Evidence Quality

Primary vendor security research disclosure with four assigned CVEs, specific severity scores, and a defined attack chain. High confidence.

Follow-Up

  • Update once official CVE listings and patch versions are confirmed via NVD or OpenClaw release notes
  • Cross-reference with any related Oasis Security findings on OpenClaw
  • Update the newsfeed entry for ClawJacked with this new finding as it represents a related but distinct vulnerability chain