Root cause for CVE-44118 involves an unvalidated client-controlled ownership flag; fixes separate owner and non-owner tokens and derive senderIsOwner only from the authenticated token.

OpenClaw faces four CVEs—CVE-2026-44112, CVE-2026-44113, CVE-2026-44115, and CVE-2026-44118—that collectively threaten sandbox integrity, credential safety, and command execution, with CVSS scores ranging up to the high 8s.

The exploitation chain lets a malicious input gain code execution inside the sandbox, with credentials and sensitive files exposed, owner-level control achieved, and backdoors enabled for persistence.

Two TOCTOU race conditions (CVE-2026-44112 and CVE-2026-44113) bypass sandbox restrictions and redirect file writes/reads beyond the intended mount root, while CVE-2026-44115 allows blocked commands to run via heredoc shell expansion.

As AI agents gain inside-entity privileges, securing the agent’s sandbox and enforcing robust token-based authentication are critical to preventing data theft, privilege escalation, and persistence.

More than 3.2 million OpenClaw users are affected, including integrations with OpenAI ChatGPT subscriptions, Nvidia NemoClaw, and Tencent ClawPro; unpatched systems remain at risk until adopting the 2026.4.22 update.

Security researcher Vladimir Tokarev is credited with discovering and reporting the Claw Chain flaws.

Patches in newer OpenClaw versions mitigate Claw Chain but the flaws underscore the need for secure sandbox design across AI agent platforms, including enterprise deployments like NemoClaw.

The vulnerabilities enable attackers to blend malicious actions with normal agent behavior, expanding access, persistence, and control within the environment and complicating detection.

OpenClaw has addressed all four vulnerabilities in version 2026.4.22; users should apply the update promptly.

Past issues, such as a January remote code execution via unvalidated WebSocket access, and a broader audit finding of credential theft and backdoors, highlight ongoing security concerns in OpenClaw’s ecosystem.

Patch coverage and attribution emphasize Tokarev’s role and the urgency to upgrade to 2026.4.22 for protection.