Cybersecurity researchers have revealed a campaign of crashes focused on OpenClaw that, together, allow from information theft to the escalation of privileges and the installation of persistent back doors. Cyera called this set "Claw Chain": four vulnerabilities that, exploited in sequence, allow an attacker to enter the agent's sandbox, extract secrets, supplant the agent's owner and finally modify the configuration to stay within the environment.
The identified failures include two type-race conditions TOCTOU which can be written or read outside the planned assembly tree (CVE-2026-44112 and CVE-2026-44113), an incomplete validation of inputs that can be avoided by means of shell expansions in heirs (CVE-2026-44115) and a defective access control that trusts a customer-controlled header called senderIsOwner, which allows non-owner customers to scale their privileges (CVE-2026-44118). Each has a serious impact separately, but the real risk comes from the chain: malicious code achieves execution in the sandbox, extracts credentials and sensitive files, gets tokens from "owner" and finally plant mechanisms of persistence and backdoors.
That an opponent uses the agent itself to move within the environment makes the activity seem legitimate in the face of traditional controls: calls, file access and configuration changes benefit from the confidence already given to the agent, which Expands the damage radius and complicates detection. It is therefore essential to address both technical mediation and operational hygiene to reduce the exposure window and potential impact.
OpenClaw published corrections and mitigations in version 2026.4.22 after the responsible disclosure; the accredited discoverer is Vladimir Tokarev. To understand technically the categories of failure in play, it is appropriate to review public resources on career conditions and the validation of entries, for example the MITRE tab on TOCTOU and CWE-367 https: / / cwe.mitre.org / data / definitions / 367.html and Cyera's notes on the finding and classification of the threat https: / / www.cyera.com.
If you manage instances with OpenClaw, the immediate priority is to update to the parched version. In addition to updating, acts on several fronts: revoke and reissue credentials and tokens that may have been exposed, restrict the installation of plugins or external integrations until their integrity is verified, and apply segmentation controls to limit what resources the agents can reach. Check logs and telemetry in search of atypical behavior of the agent - mass readings of sensitive files, scriptures out of permitted routes or changes in programmed tasks - because the chain sought by the attacker imitates legitimate operations.
From the perspective of development and architecture, there are clear lessons: do not trust customer-controlled flags for authorization decisions; it derives the status of owner from authenticated tokens and server contexts, as those responsible have already corrected when issuing separate tokens for owner and non-owner. Avoid TOCTOU with atomic operations, file blocking or verifications that do not depend on unsafe time windows, and sanitize and restrict any shell expansion in complex inputs such as heirs.
For detection and response, it incorporates controls that not only look for signatures, but also abnormal patterns of behavior of the agent: sudden lifting of privileges, access to secrets outside the intended scope, or frequent changes in the runtime configuration. Complete with EDR / EDR-like, file integrity monitoring and least privileged policies in the agent's runtime. If you suspect commitment, you carry out a containment that includes isolating the agent, removing forensic devices and restoring them from good known images after the rotation of secrets.
Claw Chain is a reminder that management and automation agents are valuable objectives: they act with privileges and their normal behavior can hide a holding. It updates, audits and restricts, and considers this case as an example to strengthen the validation of inputs and the strict separation of tokens and responsibilities in any agent-based architecture.
18-year-old Ukrainian youth leads a network of infostealers that violated 28,000 accounts and left $250,000 in losses
The Ukrainian authorities, in coordination with US agents. They have focused on an operation of infostealer which, according to the Ukrainian Cyber Police, was allegedly adminis...
RAMPART and Clarity redefine the safety of IA agents with reproducible testing and governance from the start
Microsoft has presented two open source tools, RAMPART and Clarity, aimed at changing the way the safety of IA agents is tested: one that automates and standardizes technical te...
The digital signature is in check: Microsoft dismands a service that turned malware into apparently legitimate software
Microsoft announced the disarticulation of a "malware-signing-as-a-service" operation that exploited its device signature system to convert malicious code into seemingly legitim...
A single GitHub workflow token opened the door to the software supply chain
A single GitHub workflow token failed in the rotation and opened the door. This is the central conclusion of the incident in Grafana Labs following the recent wave of malicious ...
WebWorm 2025: the malware that is hidden in Discord and Microsoft Graphh to evade detection
The latest observations by cyber security researchers point to a change in worrying tactics of an actor linked to China known as WebWorm: in 2025 it has incorporated back doors ...
Identity is no longer enough: continuous verification of the device for real-time security
Identity remains the backbone of many security architectures, but today that column is cracking under new pressures: advanced phishing, real-time proxyan authentication kits and...
The dark matter of identity is changing the rules of corporate security
The Identity Gap: Snapshot 2026 report published by Orchid Security puts numbers to a dangerous trend: the "dark matter" of identity - accounts and credentials that are neither ...