The 'Claw Chain' consists of four vulnerabilities in OpenClaw's AI assistant sandbox environment. An attacker with initial code execution inside the sandbox can exploit CVE-2026-44113 (race condition to read files outside mount root), CVE-2026-44115 (exec allowlist bypass to run unapproved commands), CVE-2026-44118 (MCP loopback flaw to elevate privileges to owner-level), and CVE-2026-44112 (critical race condition with CVSS 9.6 to write outside sandbox boundaries). By chaining these, the attacker bypasses sandbox restrictions, leaks sensitive data, escalates privileges, and achieves persistent backdoor installation. The vulnerabilities were disclosed on April 22, 2026, and patched the following day. Over 60,000 OpenClaw instances are publicly accessible, often with broad internal access, increasing potential impact.

Successful exploitation allows attackers to bypass sandbox restrictions, steal credentials, API keys, tokens, configuration files, and other sensitive data, escalate privileges to owner-level, and plant persistent backdoors on the host system. This leads to full system compromise, persistent unauthorized access, and potential data exfiltration. The attack chain mimics normal agent behavior, making detection difficult and broadening the blast radius. The vulnerabilities affect OpenClaw AI assistant instances with sandboxed agents that have broad internal access.

OpenClaw maintainers released patches for all four vulnerabilities on April 23, 2026, one day after disclosure. Organizations running OpenClaw should apply these official patches immediately to remediate the vulnerabilities. Since this is not a cloud service, patching the affected software is required. No additional mitigation guidance is provided by the vendor advisory beyond applying the patches.