A set of four security vulnerabilities in OpenClaw, collectively labeled the “Claw Chain,” gives attackers a step-by-step path from a low-privilege foothold to full data theft, elevated rights, and persistent control inside shared computing environments. Disclosed through the U.S. National Vulnerability Database in May 2026, the flaws are tracked as CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118. All versions of OpenClaw before 2026.4.22 are affected.
The vulnerabilities target two core components: the OpenShell filesystem bridge, which manages how sandboxed processes interact with host files, and the MCP loopback interface, which handles control-plane identity and authorization. Chained together, they allow an attacker to escape the sandbox, execute unauthorized commands, and then lock in owner-level access that outlasts any single session or container restart.
No public evidence of active exploitation has surfaced as of late May 2026, but the chain’s low barrier to entry and high payoff make it a priority for any organization running OpenClaw in multi-tenant or shared infrastructure.
How the chain works
The Claw Chain unfolds in three confirmed stages, with a fourth that remains under review.
Stage 1: Sandbox read-escape (CVE-2026-44113). The OpenShell filesystem bridge suffers from a time-of-check-to-time-of-use (TOCTOU) race condition. In plain terms, there is a brief gap between the moment the system verifies that a file request is allowed and the moment it actually opens the file. An attacker who exploits that gap, by swapping a legitimate file path for a symbolic link pointing elsewhere, can read any file on the host outside the sandbox boundary. Configuration files, API keys, cloud credentials, and environment tokens all become reachable without any privilege escalation.
Stage 2: Execution allowlist bypass (CVE-2026-44115). OpenClaw maintains an allowlist that restricts which commands a sandboxed process can run. Versions before 2026.4.22 fail to account for shell expansion tokens hidden inside unquoted heredoc bodies. A heredoc is a common scripting construct that lets users embed multi-line text inside a command. Because the allowlist checks the command before the shell expands the heredoc content, an attacker can craft a command that looks harmless at validation time but expands into arbitrary instructions at runtime. The secrets harvested in Stage 1 become ammunition here: stolen credentials can be passed directly into unauthorized API calls or lateral movement commands.
Stage 3: Loopback impersonation (CVE-2026-44118). The MCP loopback interface, which governs control-plane operations, trusts client-supplied metadata to determine whether a request comes from the system owner. The NVD entry for this flaw states that it “enables non-owner clients to present as owner and perform owner-gated operations.” An attacker who reaches this stage can create new credentials, rewrite access policies, register worker nodes, or inject hooks into orchestration workflows. Because these changes operate at the owner level, they persist through container recycling and session timeouts.
Each stage feeds the next. The read-escape harvests secrets; the heredoc bypass weaponizes them; and the loopback impersonation converts temporary access into durable administrative control.
The fourth flaw: credible but unconfirmed
The remaining vulnerability, CVE-2026-44112, describes a TOCTOU race condition in OpenShell filesystem writes rather than reads. According to the NVD record sourced from VulnCheck, it allows sandbox write-escape in all OpenClaw versions before 2026.4.22. The entry references a vendor advisory page and a specific Git commit for the patch.
However, both the write-escape mechanism and the affected-version scope trace back to a single sourcing path through VulnCheck. No second researcher, independent security lab, or official OpenClaw maintainer statement has publicly corroborated the write-escape behavior separately from the NVD listing. The Git commit diff referenced in the record has not been reproduced or analyzed in any publicly available write-up beyond the NVD reference link itself.
That does not make the finding wrong. VulnCheck is an authorized CVE Numbering Authority, and the flaw description is technically plausible given that the confirmed read-escape (CVE-2026-44113) exploits the same validation model. But defenders should weight it differently when prioritizing patches. If the write-escape is real, the Claw Chain gains destructive capability: an attacker could plant backdoored binaries, alter logging configurations to hide traces, or corrupt integrity checks that operators rely on to detect tampering.
Why shared environments face the highest risk
For multi-tenant platforms that embed OpenClaw, the Claw Chain is not just a collection of bugs. It is a composite threat that can cross tenant boundaries.
The read-escape alone can expose secrets belonging to other workloads on the same host whenever configuration files, API keys, or cloud role credentials sit in predictable locations. Once the heredoc bypass is layered on, an attacker can turn those secrets into active leverage: invoking external services, pivoting into adjacent systems, or modifying deployment pipelines that trust OpenClaw jobs.
The loopback impersonation step is especially damaging in shared clusters. Owner-level operations often include the ability to register new worker nodes, change policy defaults, or inject hooks into orchestration flows. If a non-owner client can masquerade as the owner, they can entrench themselves in ways that survive routine remediation. In regulated environments, that persistence complicates incident response because simply killing pods or rotating basic credentials may not be enough to evict the attacker.
Even if CVE-2026-44112 ultimately proves narrower than its current description suggests, any write path sharing the same validation model as the confirmed read-escape should be treated as suspect. In continuous-delivery setups, poisoned configuration written outside the sandbox could propagate silently into future releases.
Mitigation and defensive priorities
The most direct action is to deploy OpenClaw 2026.4.22 or later wherever possible. The three confirmed flaws alone justify an accelerated patch cycle. Environments that cannot upgrade immediately should harden their deployments around the known attack surfaces:
- Restrict host path exposure. Limit which directories are mounted through OpenShell to the minimum required for each workload.
- Minimize on-disk secrets. Move credentials and tokens out of local files accessible to OpenClaw jobs. Use secret managers or injected environment variables with short-lived scopes instead.
- Constrain heredoc scripting. Disable or tightly limit heredoc-based constructs in automation pipelines that invoke OpenClaw commands.
- Layer authentication on the MCP loopback. Where feasible, add mutual TLS between control components, use signed tokens with short lifetimes, or require out-of-band approval workflows for owner-level operations.
- Tune logging and alerting. Capture and flag unusual patterns of owner operations, particularly those originating from accounts or nodes that typically hold limited roles.
Critically, defenders need to adjust their threat models to reflect the chainable nature of these flaws. Traditional severity scores treat each CVE independently, but the Claw Chain demonstrates how a read-escape, an execution bypass, and a privilege-escalation bug combine into a composite risk far greater than any single score suggests. Security teams should run scenario-based assessments that ask what an attacker could accomplish by linking these steps together, rather than triaging each CVE in isolation.
Sourcing and confidence levels
All four CVE records originate from the NVD, with VulnCheck serving as the source organization for each. That means the technical descriptions passed through VulnCheck’s triage before appearing on the NVD, where NIST added its own metadata, references, and severity context.
For CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118, the described behaviors align with well-documented vulnerability classes: TOCTOU races, shell-expansion parsing gaps, and header-based trust assumptions. Their plausibility is high even without a second independent source. CVE-2026-44112 sits one rung lower on the confidence ladder because both its technical claim and version-range claim trace back to the same submission pipeline.
No direct statements from OpenClaw developers or maintainers confirming the exact exploitation conditions have appeared in the public record as of late May 2026. No telemetry data, incident reports, or references to active campaigns are included in any of the NVD entries.
Design lessons and what comes next
At a deeper level, the Claw Chain exposes a design pattern that extends well beyond OpenClaw. The sandbox relied on transient filesystem state and unsigned header metadata as trust anchors. TOCTOU races in both reads and writes exploit the gap between validation and use, while the MCP loopback flaw shows what happens when identity and authorization hinge on client-supplied headers instead of cryptographic proof. In combination, these choices created a brittle perimeter where relatively small timing and parsing bugs cascaded into full compromise.
The evidence base around CVE-2026-44112 is likely to shift. A vendor-maintained advisory, a public code review of the referenced patch, or independent reproduction by another security lab would all raise confidence in the current description or refine its scope. Until then, organizations should treat the write-escape as a plausible but not yet fully characterized risk and focus their immediate efforts on the confirmed mechanisms that already justify architectural changes.
For the broader security community, the Claw Chain is a concrete reminder that defense-in-depth measures like immutable infrastructure, minimal host exposure, and cryptographic identity for control-plane actions can limit the blast radius even when low-level bugs slip through. Small implementation details in common features like heredocs, loopback interfaces, and filesystem bridges can quietly erode the isolation that modern multi-tenant platforms depend on. The organizations that patch fastest will be the ones that recognized that risk before the next chain surfaces.
More from Morning Overview
*This article was researched with the help of AI, with human editors creating the final content.
