Claw Chain: four chainable vulnerabilities in OpenClaw enable sandbox escape and privilege escalation
Cyera Research disclosed four chainable OpenClaw vulnerabilities affecting versions before the April 23, 2026 patches. The chain could let an attacker escape OpenShell sandbox constraints, exfiltrate secrets, escalate agent-runtime control, and persist.
Date
May 15, 2026
First Seen
May 15, 2026
Last Reviewed
May 18, 2026
Publisher
Cyera
Source Type
article
Related reading
OpenClaw Security GuideA practical baseline for local binding, scoped credentials, sandboxing, runtime checks, and Armorer Guard.
Securing OpenClaw with Armorer GuardHow Armorer wraps OpenClaw with managed setup, Docker hardening, health checks, approvals, and Guard-backed scanning.
Claw Chain: Four Chainable Vulnerabilities in OpenClaw
Summary
Cyera Research disclosed four chainable OpenClaw vulnerabilities affecting versions before the April 23, 2026 patches. The chain could let an attacker escape OpenShell sandbox constraints, exfiltrate secrets, escalate agent-runtime control, and persist.
Why It Matters
OpenClaw's agent-mediated attack surface means a malicious plugin, prompt injection, or supply-chain compromise can serve as the initial foothold. From there, the four CVEs chain together to achieve full sandbox escape, credential theft, privilege escalation, and persistence — completing an attack path from "code inside the sandbox" to "owner-level control of the agent runtime and its secrets." This fundamentally undermines the trust boundary between agent-controlled code and the host system.
Public exposure: ~65,000–180,000 internet-facing OpenClaw servers (Shodan/Zoomeye).
Attack Chain
- Foothold: Malicious plugin, prompt injection, or compromised external input achieves code execution inside the OpenShell sandbox.
- Data Exfiltration: TOCTOU read escape (CVE-2026-44113) and env-var disclosure (CVE-2026-44115) expose credentials, secrets, and sensitive files beyond the agent's intended scope.
- Privilege Escalation: MCP loopback flaw (CVE-2026-44118) elevates the compromised process to owner-level control of the agent runtime.
- Persistence: TOCTOU write escape (CVE-2026-44112) plants backdoors, modifies configuration, or alters future agent behavior.
CVEs
- CVE-2026-44112 — TOCTOU Filesystem Write Escape — CRITICAL 9.6 — Allows writing files outside the sandbox boundary via time-of-check-time-of-use filesystem race condition.
- CVE-2026-44115 — Execution Allowlist Env-Vars Disclosure — HIGH 8.8 — Exposes environment variables and secrets through the execution allowlist mechanism.
- CVE-2026-44118 — MCP Loopback Privilege Escalation — HIGH 7.8 — Allows a sandboxed process to escalate to owner-level control via the MCP loopback interface.
- CVE-2026-44113 — TOCTOU Filesystem Read Escape — HIGH 7.7 — Allows reading files outside the sandbox boundary via filesystem race condition.
Affected versions: All OpenClaw versions prior to April 23, 2026 patches.
Affected Surface
- ~65,000–180,000 public-facing OpenClaw servers (Shodan/Zoomeye)
- Any deployment where untrusted plugins, prompt injections, or supply-chain inputs can reach the agent runtime
GHSA References
- GHSA-5h3g-6xhh-rg6p
- GHSA-wppj-c6mr-83jj
- GHSA-r6xh-pqhr-v4xh
- GHSA-x3h8-jrgh-p8jx
MITRE ATT&CK (inferred)
- T1068 — Exploitation for Privilege Escalation (MCP loopback flaw)
- T1059 — Command and Scripting Interpreter (env-var disclosure abuse)
- T1552 — Unsecured Credentials (exposure via environment variables)
- T1574 — Hijack Execution Flow (TOCTOU write escape for persistence)
Mitigations
Immediate (24 hours):
- Apply April 23, 2026 patches for all OpenClaw deployments.
- Identify exposed instances via Shodan or internal scanning; rotate all reachable credentials and API keys.
- Audit agent access scope and treat agents as privileged identities.
Short-term (1 week):
- Review supply chain inputs and plugins before deployment.
- Implement network segmentation for agent runtimes.
- Enforce least-privilege for agent tool access and MCP connections.