Back to Advisories
SECURITY ADVISORY High / Critical May 17, 2026

OpenClaw "Claw Chain" RCE Vulnerabilities

Four chained CVEs enabling full RCE-to-persistence in OpenClaw AI gateway — and how Netzilo AIDR stops each stage

Date
May 17, 2026
Severity
High–Critical
CVEs Covered
4 CVEs (chain)
Action Required
Patch + enable rules

Executive Summary

In May 2026, security researchers disclosed four vulnerabilities in OpenClaw, a widely deployed open-source AI agent gateway used to proxy, route, and enforce policy on LLM traffic. When chained in sequence — a technique researchers named the Claw Chain — the four CVEs allow an unauthenticated attacker to execute arbitrary commands on the server, exfiltrate credentials, write a persistent backdoor, and escalate to gateway-owner privileges, all without user interaction beyond a single tool call.

Between 65,000 and 180,000 OpenClaw servers were publicly exposed at the time of disclosure. Many remain unpatched. The fix is available in OpenClaw version 2026.4.22 and later.

Netzilo AI Edge ships four AIDR signatures that detect and block each stage of the Claw Chain independently. Even if one stage is missed, subsequent signatures catch the next. Customers running Netzilo AIDR are protected regardless of whether their OpenClaw instance has been patched.

Threat Overview

What is OpenClaw?

OpenClaw is an open-source AI agent gateway that sits between AI agents and LLM providers. Organisations deploy it to enforce rate limits, apply content policies, route traffic to different models, and log agent activity. Because it proxies all agent traffic, it holds session context, API credentials for downstream LLM providers, and in many deployments, access to internal tool environments.

This central position makes OpenClaw a high-value target: a single compromise gives an attacker visibility into every agent request, every model response, and potentially every tool the agent can invoke.

The Four Stages of the Claw Chain

STAGE 1

CVE-2026-44115 — Heredoc Shell Expansion Bypass

CVSS 8.8 · High

OpenClaw's shell tool allowlist validates the outer command but does not re-scan heredoc bodies. An attacker passes an approved command (e.g. cat) as the tool call value and embeds a $(...) or backtick expression inside the heredoc body. The shell expands the inner expression at execution time, executing an arbitrary command that was never evaluated against the allowlist.

This is the initial foothold. A malicious AI agent or a prompt-injected legitimate agent can trigger this via a single tool call — no direct access to the OpenClaw administration interface is required.

  • Prerequisite: Ability to make a tool call through OpenClaw
  • Impact: Arbitrary OS command execution in the context of the OpenClaw process
  • Fixed in: OpenClaw 2026.4.22 (heredoc body re-scanned through allowlist)
STAGE 2

CVE-2026-44113 & CVE-2026-44112 — Sandbox Escape via Symlink Race (TOCTOU)

Critical

OpenClaw validates file paths before accessing them (check time), but does not hold a lock or re-validate at the moment of actual access (use time). An attacker exploiting Stage 1 can swap a symlink between the check and the access, redirecting an approved file read or write to any path on the filesystem — including /etc/passwd, ~/.ssh/id_rsa, service account credential files, and .env files containing downstream LLM API keys.

CVE-2026-44112 covers the read direction (credential exfiltration); CVE-2026-44113 covers the write direction (placing attacker-controlled files outside the sandbox). Both exploit the same underlying TOCTOU window.

  • Prerequisite: Stage 1 execution (or any other code execution in the OpenClaw process)
  • Impact: Read or write any file on the host the OpenClaw process can access
  • Fixed in: OpenClaw 2026.4.22 (atomic path resolution with re-validation at access time)
STAGE 3

CVE-2026-44118 — Owner Impersonation via Loopback senderIsOwner Flag

Critical

OpenClaw's inter-process communication layer trusts a senderIsOwner: true flag in connections arriving on the loopback interface (127.0.0.1), granting them gateway-owner privileges — the highest permission tier. In OpenClaw versions before 2026.4.22, this flag is accepted from any local process without cryptographic verification.

An attacker with Stage 1 code execution can connect to OpenClaw's loopback port, include senderIsOwner: true, and immediately invoke owner-only APIs: modifying cron schedules, changing the execution environment, reconfiguring routing rules, or registering new tool endpoints. This is the persistence and escalation step — it survives a restart of the agent that triggered Stage 1.

  • Prerequisite: Stage 1 execution, or any local process on the OpenClaw host
  • Impact: Full gateway-owner control — persistent configuration modification, credential harvest from gateway config, lateral movement via registered tools
  • Fixed in: OpenClaw 2026.4.22 (loopback connections require a signed session token; senderIsOwner flag ignored from non-authenticated connections)

The Full Chain at a Glance

CVE-2026-44115 Heredoc bypass → arbitrary shell execution
CVE-2026-44112 TOCTOU symlink race → read credentials outside sandbox
CVE-2026-44113 TOCTOU symlink race → write backdoor outside sandbox
CVE-2026-44118 Owner impersonation → persistent gateway takeover

Attack Visualization

The two behavior graphs below show the same agent session on peer Demo-Claw-1 — first as it was captured, then after the Netzilo AIDR scanner replayed against the snapshot. Together they tell the complete story: how the attack unfolded and exactly where each CVE was caught.

Before — The Session Snapshot

This is the raw behavior graph as it appears in Netzilo's Session Snapshot view. Every node is an entity the agent interacted with; every edge is an action the agent took. Reading left to right, the timeline of the attack is visible in the topology — but at this point no scanner has run and nothing is flagged.

The sequence starts with the autonomous agent fetching test1.local/payload.sh — the attacker-controlled URL whose response contains the malicious prompt injection. The LLM processes the injected content and emits a shell tool call with the heredoc payload. From that point, sh is the pivot: it spawns curl to download a second-stage script from c2.local, reads /etc/passwd and ~/.ssh/id_rsa via TOCTOU symlink races, writes a cron backdoor to /etc/cron.d/openclaw-persist, then spawns a second curl to call the loopback owner API with senderIsOwner: true.

Netzilo AIDR Session Snapshot behavior graph for Demo-Claw-1 showing the full Claw Chain attack topology — all 12 nodes and 14 edges, no detections highlighted.
Session Snapshot — full attack topology, no scanner results yet. Left to right: injection fetch → LLM processing → heredoc bypass → C2 download → credential reads → cron backdoor → loopback takeover.

After — The Replay Scanner Result

This is the same graph after running the openclaw-claw-chain-full-sequence scanner against the snapshot. The scanner evaluated each event in the session individually and fired at the exact action that constitutes each CVE — not retrospectively across accumulated history.

Yellow edge — the fetch to test1.local is flagged as the injection entry point: this is where attacker-controlled content entered the session. It is the precondition for everything that follows.

Red edges — the five actions where an individual CVE rule fired:

  • EXECUTE_PROCESS OpenClaw → sh — CVE-2026-44115 fires here: the shell tool received a heredoc containing $(curl...). The allowlist approved cat; the heredoc body was never re-scanned.
  • READ_FILE sh → /etc/passwd and ~/.ssh/id_rsaCVE-2026-44113 fires here: both paths are outside the sandbox boundary and match sensitive credential patterns.
  • WRITE_FILE sh → /etc/cron.d/openclaw-persistCVE-2026-44112 fires here: write to a path outside the sandbox.
  • HTTP_REQUEST curl → 127.0.0.1:8080CVE-2026-44118 fires here: loopback request to the OpenClaw owner API.

Everything else — the LLM calls, the curl subprocess spawned to download the C2 script, the curl that makes the loopback call — is dimmed because it did not directly trigger a detection rule. The nodes and edges that are not part of any fired rule fade into the background, making the five detection points immediately visible.

Netzilo AIDR Replay Scanner result for Demo-Claw-1 — same behavior graph with detection highlights: yellow edge to test1.local (injection entry), five red edges where CVE-2026-44115/44113/44112/44118 fired. All non-involved nodes and edges are dimmed.
Replay Scanner result — yellow = injection entry point (test1.local), red = exact edges where each CVE rule fired. All uninvolved nodes and edges are dimmed. The scanner output panel shows 8 blocked events.

Netzilo AIDR Signatures

The four signatures below map directly to the four stages of the Claw Chain. They operate at the message and behavior layer — inspecting tool call payloads, file access events, and agent behavioral graphs — independently of whether your OpenClaw instance has been patched. Each stage can be caught in isolation; an attacker who slips past Stage 1 detection still hits Stage 2, and so on.

STAGE 1

Signature 1 — openclaw-heredoc-expansion-bypass

High

CVE: CVE-2026-44115

What it detects: Tool call payloads containing a heredoc marker (<<WORD) followed within 500 characters by a $(...) command substitution or a backtick expression. Either pattern inside a heredoc body means the shell will execute something that was never evaluated by the allowlist.

Structural signal: The heredoc marker plus expansion token is a FORMAT signal, independent of what command is embedded. Normal shell variable expansion uses ${VAR} (curly braces); command substitution uses $( (parenthesis). The signature targets the latter specifically to avoid false positives on legitimate variable references.

Action: BLOCK — command substitution inside a heredoc body has no legitimate use case within an AI agent tool call context. Fires before execution reaches OpenClaw's shell backend.

STAGE 2

Signature 2 — openclaw-sandbox-escape-file-access

Critical

CVEs: CVE-2026-44113, CVE-2026-44112

What it detects: File read or write events where the resolved path falls outside /openclaw/sandbox/mounts/ AND targets a sensitive location: /etc/, /root/, ~/.ssh/, files named .env, credentials, id_rsa, or other common credential paths. Both conditions must be true simultaneously. The signature also notes whether a subprocess was already spawned in the same session, which raises confidence this is part of a chain rather than a misconfiguration.

Structural signal: Path outside sandbox boundary is necessary but not sufficient alone — the combination with a sensitive target path eliminates most misconfiguration false positives. Writes outside the sandbox (the CVE-2026-44113 direction) are treated as higher severity than reads.

Action: BLOCK on write; SCAN + AI review on read (to distinguish TOCTOU exploitation from legitimate cross-mount access patterns). Any read targeting ~/.ssh/, id_rsa, or known credential files escalates immediately to BLOCK.

STAGE 3

Signature 3 — openclaw-owner-impersonation

Critical

CVE: CVE-2026-44118

What it detects (signal A — content): Any payload containing senderIsOwner: true or "senderIsOwner":true. On unpatched OpenClaw versions (<2026.4.22), this flag in a loopback connection grants gateway-owner privileges unconditionally. Its presence in traffic is a direct indicator of exploitation.

What it detects (signal B — behavioral): An agent that establishes a loopback connection (127.0.0.1, localhost, ::1) and then, within the same session, calls a tool whose name matches owner-level operations: gateway configuration, cron scheduling, execution environment modification, or routing rule changes. This behavioral sequence catches the attack even on patched instances where the flag is stripped, since the attacker's pattern of action remains the same.

Action: BLOCK on content signal (immediate — the flag appearing in traffic is unambiguous on unpatched instances). SCAN + AI review on behavioral signal (to distinguish legitimate owner-initiated configuration from attacker-driven loopback escalation).

CHAIN

Signature 4 — openclaw-claw-chain-full-sequence

Correlated

CVEs: CVE-2026-44115, CVE-2026-44113, CVE-2026-44112, CVE-2026-44118

What it detects: The session-level correlator. On every tool call, it evaluates how many Claw Chain stages are visible in the behavior graph for the current agent session: subprocess spawned (Stage 1), sensitive file accessed outside sandbox (Stage 2), file written outside sandbox (Stage 3), loopback connection established (Stage 4). Each observed stage increments a per-session counter.

Why this exists alongside the three individual signatures: An attacker who uses a novel variant that slightly changes one stage's payload structure may evade the individual signature while the behavioral fingerprint of the overall chain remains unchanged. The correlator does not depend on payload content — it depends on what the agent actually does.

Action: REPORT at 2 stages (log the chain progression, allow traffic — may still be benign behavior coincidence); BLOCK at 3 or more stages (statistically near-certain attack in progress). Threshold can be lowered to 2 after baseline validation in your environment.

CVE Coverage Matrix

CVE Chain Stage CVSS AIDR Signature Fixed In
CVE-2026-44115 Stage 1 — Heredoc expansion bypass 8.8 ✓ Signature 1 + Signature 4 2026.4.22
CVE-2026-44112 Stage 2 — TOCTOU read (credential theft) 9.1 ✓ Signature 2 + Signature 4 2026.4.22
CVE-2026-44113 Stage 2 — TOCTOU write (backdoor plant) 9.1 ✓ Signature 2 + Signature 4 2026.4.22
CVE-2026-44118 Stage 3 — Owner impersonation / persistence 9.8 ✓ Signature 3 + Signature 4 2026.4.22

Recommended Actions

Step 1 — Patch OpenClaw immediately

All four CVEs are fixed in OpenClaw version 2026.4.22. If you operate an OpenClaw instance, update before proceeding to the AIDR steps below. Patching eliminates the root causes; AIDR signatures provide defense-in-depth for unpatched instances and for novel variants of these attack patterns.

  • Check your running version: openclaw --version
  • Update via your package manager or the OpenClaw GitHub releases page
  • After update, confirm heredoc re-scanning is active: a tool call containing cat <<EOF\n$(whoami)\nEOF should be blocked at the gateway level, not reach the shell backend

Step 2 — Deploy AIDR Signatures

The four AIDR signatures are available in your scanner library. Attach them to every Filter that covers agents with access to OpenClaw or shell tools. Follow these steps.

Open the Filter you want to protect

In the AIDR console, navigate to Filters. Open the Filter applied to your AI agents. If you do not yet have a filter, create one using the + New Filter button and set its Targets and Agents before proceeding.

Go to the Scanners tab

Inside the Edit Filter panel, click the Scanners tab. You will see all scanners currently attached to this filter. Click Browse Scanners and search for each of the following, then click Add:

  • openclaw-heredoc-expansion-bypass — blocks heredoc + command substitution payloads (Stage 1 / CVE-2026-44115)
  • openclaw-sandbox-escape-file-access — blocks file access outside sandbox boundary to sensitive paths (Stage 2 / CVE-2026-44112, 44113)
  • openclaw-owner-impersonation — blocks senderIsOwner flag and loopback escalation attempts (Stage 3 / CVE-2026-44118)
  • openclaw-claw-chain-full-sequence — session-level correlator; reports at 2 chain stages, blocks at 3 or more (all CVEs)

Save Changes and verify scope

  • Click Save Changes. All four signatures activate immediately.
  • Repeat for every filter covering agents with shell tool or OpenClaw access.
  • To confirm Signature 1 is active: trigger a test tool call payload containing cat <<EOF\n$(id)\nEOF — the gateway should return a block from openclaw-heredoc-expansion-bypass.

Monitor and tune the chain correlator

After deployment, run openclaw-claw-chain-full-sequence at its default threshold (report at 2 stages, block at 3) for at least one week. Review any 2-stage reports in the AIDR alerts dashboard. If no false positives appear, lower the block threshold to 2 in the scanner configuration. The stage breakdown in each alert tells you exactly which behavioral events contributed to the match.

Quick checklist

  • Update OpenClaw to 2026.4.22 or later
  • Verify post-patch: heredoc + $(id) is blocked at the gateway level
  • AIDR console → each MCP/shell-scoped Filter → Scanners tab → add all four OpenClaw signatures
  • Save Changes — signatures activate immediately
  • Repeat for every filter covering agents with OpenClaw or shell tool access
  • Monitor alerts dashboard for 7 days; lower chain correlator threshold to 2 if no false positives

References

CVE Records

OpenClaw Security Bulletin

Related Advisories

Back to Advisories

Need help deploying these signatures?

Netzilo AIDR customers: all four OpenClaw Claw Chain signatures are already available in your scanner library. Contact us if you need assistance attaching them to your filters or tuning the chain correlator threshold.

Contact Support Explore AIDR