Claw Chain CVEs: Verify OpenClaw 2026.4.22+

🤖 Ghostwritten by GPT 5.4 · Fact-checked & edited by Claude Opus 4.6

The urgent headline is also the reassuring one: the Claw Chain vulnerabilities disclosed on 2026-05-15 were already fixed before the public disclosure window in OpenClaw v2026.4.22. The correct response is not to wait for an unreleased patch or scramble through rumor threads. The action item is simpler: verify that the installed version is 2026.4.22 or newer, and upgrade immediately if it is not.

The disclosed chain matters because it combined four flaws into a practical attack path: sandbox escape, data access outside the intended boundary, privilege escalation, and a route to persistence. According to The Hacker News report published on 2026-05-15, the issues were found by Vladimir Tokarev and reported by Cyera. The authoritative CVE set is CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118. Conflicting CVE numbers circulated elsewhere; those should be treated as unverified for this incident. For teams using OpenClaw in real workflows — especially where agents can touch secrets, repos, or production-adjacent systems — version verification should happen before anything else.

What Happened in the Claw Chain Disclosure

TL;DR: Four OpenClaw flaws were disclosed on 2026-05-15, but all four had already been fixed in v2026.4.22, so the main task is version verification — not waiting for a future patch.

The Claw Chain disclosure described four separate weaknesses that could be chained together for higher impact than any single bug on its own. Two of the flaws let an attacker slip past sandbox boundaries through timing windows, one let them bypass an allowlist using heredoc behavior, and one let them gain more authority than intended because of a faulty ownership check.

The Hacker News report identified these issues as:

CVE	CVSS	Plain-English Description
CVE-2026-44112	9.6	A TOCTOU sandbox write-escape
CVE-2026-44113	7.7	A TOCTOU read-escape
CVE-2026-44115	8.8	A heredoc allowlist bypass
CVE-2026-44118	7.8	A senderIsOwner privilege-escalation flaw in an ownership check

TOCTOU stands for time-of-check/time-of-use. That class of bug appears when software checks whether an action is safe, but the thing being checked changes in the tiny gap before the action actually runs. In security terms, that gap becomes an opening.

The combined impact reported publicly was data theft, privilege escalation, and persistence. That combination matters because it maps to a realistic attack progression: escape the intended box, access something valuable, gain broader control, then leave behind a way to come back.

The Four Flaws, Translated

TL;DR: The Claw Chain CVE set includes two race-condition sandbox escapes, one heredoc filter bypass, and one ownership-check bug enabling privilege escalation.

CVE-2026-44112 — CVSS 9.6

A TOCTOU sandbox write-escape. An attacker could exploit a timing gap to write outside the sandbox boundary. If the sandbox restricts file changes to a safe workspace, a write-escape undermines that assumption.

Why it matters: Writing outside the sandbox can mean altering configuration, dropping files for persistence, or modifying material the agent should never touch.

CVE-2026-44113 — CVSS 7.7

A TOCTOU read-escape. The same race-condition principle applies, but the impact is on reading rather than writing. Instead of changing files, the attacker can access information outside the approved area.

Why it matters: Read access is often enough for serious damage. Secrets, private code, environment files, and cached credentials are all more dangerous once a boundary has been crossed.

CVE-2026-44115 — CVSS 8.8

A heredoc allowlist bypass. A heredoc is a shell feature that lets a command consume a block of inline text. If a system relies on an allowlist to constrain permitted shell behavior but heredoc handling creates a gap, an attacker can smuggle through behavior the allowlist was supposed to block.

Why it matters: Allowlists only work if parsing and enforcement match real execution paths. When they diverge, the policy looks strong on paper while failing in practice.

CVE-2026-44118 — CVSS 7.8

A senderIsOwner privilege-escalation flaw in an ownership check. Ownership checks answer a simple question: is this actor actually allowed to perform this action? If that logic is wrong, the system grants authority it should deny.

Why it matters: Privilege escalation turns a limited foothold into broader control. Once an attacker has more permissions, cleanup becomes harder and downstream impact expands.

Why a Sandbox Escape Is So Serious on Credential-Bearing Agents

TL;DR: A sandbox escape is not just a theoretical bug when an agent can access credentials — escaping the boundary exposes the exact secrets and control paths an attacker wants most.

A sandbox is a containment mechanism, not a guarantee. Its job is to reduce blast radius by limiting what a process can reach. But when an agent operates in a developer environment, the surrounding context is often full of high-value material: API tokens, cloud credentials, repository access, SSH keys, local caches, and authenticated sessions.

That is what makes this class of bug especially important for fast-moving teams. Modern coding agents are often trusted because they are productive. They inspect codebases, run commands, create files, and interact with external systems. Those same capabilities become risky if the boundary around them fails.

A read-escape can expose secrets. A write-escape can alter startup files, config, or scripts for persistence. A privilege-escalation flaw can widen access after the first foothold. None of that requires dramatic movie-style hacking — only the right chain of small failures.

This is also why version drift is dangerous. Security stories often trigger a hunt for a new patch, but in this case the more likely failure mode is simpler: teams assume they are current when they are not. If one workstation, build runner, or shared environment is still behind v2026.4.22, that lagging node becomes the weak link.

For context on project scale, OpenClaw had roughly 377K GitHub stars as of early June 2026. Large adoption does not make a tool insecure, but it raises the stakes. Widely deployed developer tooling becomes a more attractive target because one exploit path can matter across many environments.

How to Verify Your Version and Upgrade

TL;DR: Check the installed version, confirm it is 2026.4.22 or newer, and upgrade immediately if it is older.

The most useful response here is mechanical. Start with the installed version.

Print Your Installed OpenClaw Version

openclaw --version

If your environment uses a different executable name, use the equivalent version flag. The goal is straightforward: print the installed version string and compare it to 2026.4.22.

What Counts as Patched

• 2026.4.22 = fixed
• Any newer version = fixed for this disclosed set
• Any older version = upgrade required

Upgrade If You Are Behind

The exact upgrade method depends on how OpenClaw was installed. Common patterns include:

• Updating through the package manager originally used for installation
• Pulling the latest approved internal package in managed environments
• Refreshing the CLI through the official installation path documented by the project

If OpenClaw is installed across multiple places, verify all of them:

• Developer laptops and workstations
• Shared jump boxes or remote dev hosts
• CI runners and build agents
• Container images or golden images
• Any automation host that invokes OpenClaw indirectly

Patch Verification Checklist

• openclaw --version returns 2026.4.22 or newer
• The version was checked on every machine that runs OpenClaw, not just one laptop
• Old container images or cached build environments were rebuilt or replaced
• Shell wrappers, aliases, or pinned package definitions are not forcing an older binary
• Credentials available to OpenClaw were reviewed for least privilege
• High-value tokens stored on the same host were rotated if there is reason to suspect prior exposure
• Team documentation records 2026.4.22 as the minimum safe baseline for this disclosure set

Frequently Asked Questions

Q: What is the correct Claw Chain CVE set to track?

Use the authoritative set cited in the 2026-05-15 Hacker News coverage: CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118. Conflicting CVE numbers circulated in other writeups but conflict with this primary source and should not be mixed into incident tracking for this disclosure.

Q: Do I need to wait for a new patch?

No. These issues were already fixed before disclosure in OpenClaw v2026.4.22. The practical task is to verify that the installed version is 2026.4.22 or newer and to upgrade if it is not.

Q: Why is a sandbox escape such a big deal?

Because the value of a sandbox depends entirely on the boundary holding. If an agent can access credentials, local files, repository contents, or authenticated sessions, escaping that boundary can turn ordinary developer convenience into a serious security event.

Q: If I am on 2026.4.22 or newer, am I fully safe?

You are covered for the publicly disclosed Claw Chain flaws, but no single patch eliminates all operational risk. Least-privilege permissions, careful secret handling, and regular version audits still matter — a sandbox is one layer, not the whole defense model.

Q: What should be reviewed besides the OpenClaw version?

Review where OpenClaw runs, what it can access, and which credentials are exposed to that environment. The highest-value follow-up checks are stale tokens, over-broad permissions, old container images, and any automation path that may still invoke an outdated binary.

Key Takeaways

• The Claw Chain vulnerabilities were publicly disclosed on 2026-05-15.
• The reassuring fact is the most important one: all four were already fixed in OpenClaw v2026.4.22.
• The authoritative CVEs are CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118.
• The chain included a write-escape, a read-escape, a heredoc allowlist bypass, and an ownership-check privilege escalation flaw.
• Practical risk is highest where agents can reach credentials, repositories, or other sensitive local resources.
• The right response is concrete: print the installed version, confirm it is 2026.4.22 or newer, and upgrade if it is not.
• A sandbox is a boundary that can be bypassed — combine an up-to-date version with least-privilege and credential hygiene. Defense in depth beats reliance on a single wall.

Conclusion

The Claw Chain disclosure is a useful reminder that modern agent security is less about panic and more about disciplined verification. The most important fact reduces uncertainty: the fix already exists in v2026.4.22. The broader lesson is one security teams keep relearning in 2026: sandboxes matter, but boundaries fail, so resilient setups assume layered controls, narrow permissions, and clean credential practices rather than trusting any single protective mechanism indefinitely.