Claw Chain is a set of four chainable OpenClaw vulnerabilities (CVE-2026-44112, 44113, 44115, 44118) discovered by Cyera that can be combined to achieve data theft, privilege escalation, and persistent access.

How severe is the Claw Chain vulnerability?

The most severe CVE in the chain (CVE-2026-44112) has a CVSS score of 9.6. When chained together, the four flaws allow full system compromise from an initial sandbox bypass to persistent backdoor access.

Has Claw Chain been patched?

Yes, all four Claw Chain vulnerabilities were patched in OpenClaw v2026.4.22. Users should upgrade to at least this version.

How does the Claw Chain attack work?

The attack progresses through four stages: (1) sandbox bypass via TOCTOU race condition, (2) file read outside mount root, (3) environment variable expansion to steal API keys and tokens, (4) privilege escalation via unvalidated senderIsOwner flag, then persistence via config modification.

Who discovered Claw Chain?

Claw Chain was discovered and named by security researchers at Cyera. It was covered by The Hacker News, Dark Reading, and Bank Info Security.

← Back to dashboard

clawsmith.com/signal/claw-chain-four-chainable-cves-data-theft-persistence

⚠ IssueWide OpenLive

Claw Chain: Four Chainable OpenClaw CVEs Enable Data Theft, Privilege Escalation, and Persistence

Cyera disclosed four chainable OpenClaw vulnerabilities (CVE-2026-44112, 44113, 44115, 44118) dubbed 'Claw Chain'. Attack chain: bypass sandbox (TOCTOU race), read files outside mount root, expand env vars to steal API keys/tokens, escalate to owner-level via unvalidated senderIsOwner flag, persist via config modification. Most severe: CVE-2026-44112 at CVSS 9.6. All patched in v2026.4.22. Covered by The Hacker News, Dark Reading, Bank Info Security.

Product Idea from this Signal

A background service that scores your OpenClaw deployment's real attack surface by analyzing which unpatched CVE combinations create chainable exploits

289 ▲

OpenClaw accumulated 138 CVEs in under five months. The Claw Chain disclosure showed that four individually medium-severity CVEs can be chained into a CVSS 9.6 full-compromise attack. Existing security scanners check for individual CVEs one at a time but miss the combinatorial risk. A deployment running three unpatched medium-severity CVEs might actually have a critical-severity attack path that no single-CVE scanner would flag. This service continuously maps your specific OpenClaw version, plugins, and config against known attack chains to produce a real composite risk score.

BACKGROUND-SERVICESECURITYOPEN-SOURCEDEVTOOL

CompetitiveView Opportunity →