Four OpenClaw bugs allow sandbox escape and persistence

Cybersecurity firm Cyera disclosed four vulnerabilities in OpenClaw’s OpenShell sandbox backend that can be chained to bypass sandbox protections, read or write files outside the sandbox, impersonate owner-level clients and install persistent backdoors. OpenClaw released fixes in version 2026.4.22. Security researcher Vladimir Tokarev is credited with reporting the issues.

Cyera assigned the following CVEs and scores: CVE-2026-44112 (CVSS 9.6) is a time-of-check/time-of-use (TOCTOU) race that can redirect writes outside the sandbox mount root; CVE-2026-44113 (CVSS 7.7) is a TOCTOU read issue that permits reads outside the mount root; CVE-2026-44115 (CVSS 8.8) is an allowlist bypass in shell input handling that uses here-document expansion to run unapproved commands; and CVE-2026-44118 (CVSS 7.8) is an improper access-control flaw that can let non-owner loopback clients claim owner privileges.

Cyera described a four-step exploitation chain. An attacker first obtains code execution inside the OpenShell sandbox through a malicious plugin, prompt injection or other compromised input. The attacker then uses the TOCTOU read bug and the here-document allowlist bypass to extract credentials, system files and internal artifacts. The access-control flaw is next used to obtain owner-level control of the agent runtime. Finally, the TOCTOU write bug can be used to modify configuration, plant backdoors and establish persistence on the host.

OpenClaw’s advisory traced the access-control failure to reliance on a client-controlled flag called senderIsOwner, which was not validated against the authenticated session. OpenClaw changed the MCP loopback runtime to issue separate owner and non-owner bearer tokens and now derives sender ownership from the token that authenticated the request. The vendor also stopped emitting the spoofable sender-owner header.

Cyera warned that using the agent’s privileges can make malicious activity resemble normal agent behavior and reduce the chance of detection. Cyera wrote, “By weaponizing the agent’s own privileges, an adversary moves through data access, privilege escalation, and persistence — using the agent as their hands inside the environment.”

Following responsible disclosure, OpenClaw released version 2026.4.22 with patches for all four defects. Organizations running OpenClaw or OpenShell should apply the update, rotate any exposed credentials and monitor agent activity for unusual owner-level operations.