CyberHappenings logo
Home Browse Watchlists Experimental About

Track cybersecurity events as they unfold. Sourced timelines. Filter, sort, and browse. Fast, privacy‑respecting. No invasive ads, no tracking.

Chained OpenClaw vulnerabilities enable agent-based data theft and persistence in MCP runtimes

First reported
Last updated
1 unique sources, 1 articles

Summary

Hide ▲

A chain of four vulnerabilities (CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, CVE-2026-44118) in OpenClaw’s OpenShell sandbox and MCP loopback runtime allows attackers to bypass sandbox restrictions, read sensitive files, escalate to owner-level privileges, and establish persistence. Exploitation begins with code execution inside the sandbox via a malicious plugin, prompt injection, or compromised input, then progresses through credential exposure, privilege escalation, and backdoor deployment. Impact includes unauthorized data theft, full runtime control, and persistent compromise of affected hosts. The vulnerabilities are leveraged in a four-step chain: initial code execution, file and credential exposure via TOCTOU and heredoc bypass, privilege escalation via spoofable ownership flags, and final persistence through configuration tampering and backdoor planting.

Timeline

  1. 15.05.2026 16:35 1 articles · 3h ago

    OpenClaw patches four sandbox and runtime flaws enabling privilege escalation and persistence

    OpenClaw released version 2026.4.22 addressing four vulnerabilities (CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, CVE-2026-44118) in OpenShell and MCP loopback runtime. The flaws permitted bypassing sandbox restrictions, reading sensitive files, escalating privileges via spoofed ownership flags, and establishing persistence. The patch replaces client-controlled ownership validation with separate owner and non-owner bearer tokens and removes the spoofable sender-owner header. Users are advised to update to mitigate risk of agent-based attacks that blend into normal activity.

    Show sources
    Open in new tab

Information Snippets

  • CVE-2026-44112 is a TOCTOU race condition in OpenClaw’s OpenShell sandbox backend that allows bypassing mount-root restrictions to redirect writes outside intended paths, enabling backdoor planting and configuration tampering (CVSS 9.6/6.3).

    First reported: 15.05.2026 16:35
    1 source, 1 article
    Show sources

  • CVE-2026-44113 is a TOCTOU race condition allowing reads of files outside the mount root, enabling extraction of system files, credentials, and internal artifacts (CVSS 7.7/6.3).

    First reported: 15.05.2026 16:35
    1 source, 1 article
    Show sources

  • CVE-2026-44115 bypasses allowlist validation via shell expansion tokens in heredoc bodies, allowing execution of unapproved commands at runtime (CVSS 8.8).

    First reported: 15.05.2026 16:35
    1 source, 1 article
    Show sources

  • CVE-2026-44118 is an improper access control flaw where non-owner loopback clients impersonate owners by exploiting a spoofable senderIsOwner flag, gaining control over gateway configuration, cron scheduling, and execution environment management (CVSS 7.8).

    First reported: 15.05.2026 16:35
    1 source, 1 article
    Show sources

  • The exploitation chain begins with code execution inside the OpenShell sandbox (e.g., via malicious plugin or prompt injection), followed by credential and file exposure, privilege escalation to owner level, and finally persistence via backdoors and configuration changes.

    First reported: 15.05.2026 16:35
    1 source, 1 article
    Show sources

  • The root cause of CVE-2026-44118 stems from OpenClaw trusting a client-controlled senderIsOwner flag without validating it against the authenticated session, enabling privilege escalation. The fix replaces this with separate owner and non-owner bearer tokens and removes the spoofable sender-owner header.

    First reported: 15.05.2026 16:35
    1 source, 1 article
    Show sources