EXECUTIVE SUMMARY:
A set of vulnerabilities have been identified in OpenClaw, a popular open-source platform for autonomous AI agents. The affected versions and product are OpenClaw, with an estimated publicly accessible server instances exposed to remote exploitation, credential theft, and persistent backdoor installation. The vulnerabilities include time-of-check/time-of-use (TOCTOU) race conditions, command validation gaps, and client-controlled ownership flag exploitation, which collectively enable attackers to gain code execution, exfiltrate sensitive data, escalate privileges, and establish persistence. This chain of vulnerabilities, dubbed "Claw Chain," poses a significant risk to enterprises, particularly those in financial services, healthcare, and legal sectors, where AI agent workflows process sensitive information.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
A set of vulnerabilities have been identified in OpenClaw, a popular open-source platform for autonomous AI agents. The affected versions and product are OpenClaw, with an estimated publicly accessible server instances exposed to remote exploitation, credential theft, and persistent backdoor installation. The vulnerabilities include time-of-check/time-of-use (TOCTOU) race conditions, command validation gaps, and client-controlled ownership flag exploitation, which collectively enable attackers to gain code execution, exfiltrate sensitive data, escalate privileges, and establish persistence. This chain of vulnerabilities, dubbed "Claw Chain," poses a significant risk to enterprises, particularly those in financial services, healthcare, and legal sectors, where AI agent workflows process sensitive information.[emaillocker id="1283"]
CVE-2026-44112 with a CVSS score of 9.6- A time-of-check/time-of-use race condition in the OpenShell sandbox allows attackers to redirect write operations outside the sandbox boundary, enabling configuration tampering and persistent backdoor placement on the endpoint.
CVE-2026-44115 with a CVSS score of 8.8- A gap between OpenClaw's command validation and shell execution allows environment variables including API keys, tokens, and credentials to leak through unquoted heredocs that appear safe at validation time.
CVE-2026-44118 with a CVSS score of 7.8- OpenClaw blindly trusts a client-controlled ownership flag without cross-referencing the authenticated session, allowing a local process with a valid bearer token to escalate to owner-level control over gateway configuration, scheduling, and execution management.
CVE-2026-44113 with a CVSS score of 7.7- The same TOCTOU race condition pattern in read operations lets attackers swap validated file paths with symbolic links pointing outside the allowed mount root, exposing system files and internal artifacts the agent was never meant to access.
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://cybersecuritynews.com/openclaw-chain-vulnerabilities/