ctipilot.ch

OpenClaw Claw Chain — CVE-2026-44112 sandbox TOCTOU write escape (CVSS 9.6) + 44113/44115/44118 chain

cve · CVE-2026-44112

Coverage timeline
2
first 2026-05-16 → last 2026-05-16
Briefs
1
1 distinct
Sources cited
2
2 hosts
Sections touched
2
action_items, trending_vulns
Co-occurring entities
4
see Related entities below

Story timeline

  1. 2026-05-16CTI Daily Brief — 2026-05-16
    trending_vulnsFirst coverage. Cyera Research discloses four chainable OpenClaw / Clawdbot vulnerabilities — CVE-2026-44112 (CVSS 9.6 TOCTOU write escape) + 44115 (8.8 allowlist bypass) + 44118 (7.8 MCP loopback owner-trust) + 44113 (7.7 TOCTOU read escape); ~245K publicly exposed instances; patched in 2026.4.22.
  2. 2026-05-16CTI Daily Brief — 2026-05-16
    action_itemsFirst coverage. Cyera Research discloses four chainable OpenClaw / Clawdbot vulnerabilities — CVE-2026-44112 (CVSS 9.6 TOCTOU write escape) + 44115 (8.8 allowlist bypass) + 44118 (7.8 MCP loopback owner-trust) + 44113 (7.7 TOCTOU read escape); ~245K publicly exposed instances; patched in 2026.4.22.

Where this entity is cited

  • trending_vulns1
  • action_items1

Source distribution

  • cyera.com1 (50%)
  • thehackernews.com1 (50%)

Related entities

External references

NVD · cve.org · CISA KEV

All cited sources (2)

Items in briefs about OpenClaw Claw Chain — CVE-2026-44112 sandbox TOCTOU write escape (CVSS 9.6) + 44113/44115/44118 chain (1)

CVE-2026-44112 / CVE-2026-44113 / CVE-2026-44115 / CVE-2026-44118 — OpenClaw "Claw Chain": four chainable flaws in autonomous-agent platform enable sandbox escape → credential leak → privilege escalation → file disclosure

From CTI Daily Brief — 2026-05-16 · published 2026-05-16 · view item permalink →

Cyera Research published on 2026-05-15 four chained vulnerabilities in OpenClaw (also marketed as Clawdbot), an autonomous AI-agent platform released in late 2025 with integrations including Microsoft Agent 365 (Cyera Research, 2026-05-15 · The Hacker News, 2026-05-15). All four CVEs are fixed by the OpenClaw release dated 2026-04-23, addressed under GitHub Security Advisories GHSA-5h3g-6xhh-rg6p, GHSA-wppj-c6mr-83jj, GHSA-r6xh-pqhr-v4xh, and GHSA-x3h8-jrgh-p8jx. The defender-relevant detail is that an attacker who can obtain code execution inside the OpenClaw managed sandbox — achievable via a malicious plugin, prompt injection into the agent context, or supply-chain compromise of an OpenClaw plugin — can chain the four primitives to a full sandbox-escape → credential-harvest → owner-level agent control → file-disclosure sequence whose steps each mimic normal agent behaviour and so evade controls calibrated to "human-attacker" indicators. CVE-2026-44112 (CVSS 9.6, Critical) is a TOCTOU race in the OpenShell sandbox backend that lets the sandbox process win the filesystem write race and redirect writes outside the intended mount root, enabling host-filesystem tampering and persistent backdoor placement. CVE-2026-44115 (CVSS 8.8, High) is an incomplete allowlist in OpenClaw's command parser — shell-expansion tokens embedded in environment-variable names bypass the validation gate, leaking API keys, tokens, and credentials at execution time. CVE-2026-44118 (CVSS 7.8, High) trusts a client-controlled senderIsOwner flag in MCP loopback messages without validating against the authenticated session, allowing privilege escalation to owner-level agent control. CVE-2026-44113 (CVSS 7.7, High) is the companion TOCTOU read escape enabling file disclosure outside the sandbox root. Exposure is broad: Cyera cites ~65 K (Shodan) and ~180 K (ZoomEye) publicly accessible OpenClaw instances as of May 2026, summing to an estimated ~245 K exposed servers. No in-the-wild exploitation reported at disclosure. Detection: alert on the agent process writing files outside designated sandbox mount directories; flag MCP loopback messages with senderIsOwner=true from sources not matching the authenticated session; alert on environment-variable expansion in command strings at agent execution time.