OpenClaw 'Claw Chain' — 4 chainable sandbox-escape flaws (May 2026)
TL;DR
Cyera Research disclosed four chainable vulnerabilities in OpenClaw — the autonomous AI agent that rocketed to 135K+ GitHub stars in early 2026 — collectively dubbed "Claw Chain." The chain (CVE-2026-44112, -44113, -44115, -44118) lets an attacker bypass the OpenShell managed sandbox, read & write outside the mount root, execute disallowed commands through here-doc shell-expansion bypass, and impersonate the agent owner to control gateway, cron, and execution environment. SecurityScorecard previously reported ~245,000 publicly accessible OpenClaw instances, with 63% of them running with no authentication at all and ~35% flagged as vulnerable. Patched in OpenClaw 2026.4.22. If you exposed an instance to the internet, assume full compromise.
What happened
OpenClaw ships an "OpenShell" managed sandbox that's supposed to confine agent-issued shell commands to a tmpfs mount and an allowlist. Cyera found four design flaws that, chained, neutralize the sandbox entirely:
- CVE-2026-44112 (CVSS 9.6 / 6.3) — TOCTOU race in the OpenShell sandbox backend. The mount-root check and the write operation are non-atomic; an attacker who can race the agent can redirect writes outside the mount root.
- CVE-2026-44113 (CVSS 7.7 / 6.3) — Symmetric TOCTOU on the read path: read files outside the mount root by winning the same race.
- CVE-2026-44115 (CVSS 8.8) — Allowlist bypass via shell expansion tokens inside a here-doc. The disallowed-input list checked argv but not what the shell would expand inline, so `cat <