Claw Chain Attack: Four-CVEs Chained Vulnerability Drops Amid Enterprise Rush

A landmark security advisory landed this week: the Claw Chain attack, published by IANS Research, describes a four-CVE exploit chain that turns OpenClaw’s well-documented partial sandbox into a full host compromise path.

The chain

The attack links four vulnerabilities:

  • CVE-2026-44115 — Logic flaw exposing stored API keys and provider credentials
  • CVE-2026-44118 — Privilege escalation to host-level permissions
  • CVE-2026-43527 and CVE-2026-43582 — Critical flaws identified by the Financial Security Authority in a parallel advisory

With API key stores in scope, a successful exploit can drain cloud provider budgets — not just compromise a single machine. The advisory arrives as OpenClaw crosses 368,000 GitHub stars and is being deployed at enterprise scale faster than the governance model can keep up.

Context: an honest sandbox

OpenClaw’s own documentation has been candid: “not a perfect security boundary.” The Claw Chain attack exploits that honesty. An academic paper on arXiv (2605.23330v1) published earlier this week provided the first systematic academic analysis of OpenClaw’s security surface, framing the blast radius of a gateway compromise as categorically larger than a chatbot breach — the gateway holds credentials, messaging accounts, filesystems, and session history simultaneously.

Immediate actions

For production deployments:

  1. Update to v2026.5.22+ (this release addressed the vulnerabilities)
  2. Rotate all API keys stored in the gateway
  3. Enable tools.exec.host=sandbox if not already set
  4. Audit installed skills against the ClawHavoc known-bad list

A separate CVE (CVE-2026-4039, Skill Env Handler / applySkillConfigenvOverrides) was documented by Endor Labs, affecting OpenClaw 2026.2.19-2. Teams on pre-2026.2.12 releases are exposed to 40+ unpatched vulnerabilities.

The irony

OpenClaw’s transparency about its sandbox limitations is simultaneously a feature (users know what they’re getting) and a liability (attackers know exactly where to probe). The project’s breakneck growth — from side project to enterprise infrastructure in months — has outpaced the security governance timeline. NVIDIA’s NemoClaw governance layer, announced at GTC, is explicitly designed to address exactly this class of risk, but the fork’s alpha release only landed in May.

This is the cost of being the fastest-growing open-source project in history: the attack surface is now a legitimate, high-value target.

📦 Advisory via IANS Research · arXiv paper 2605.23330v1

← Back to News