Open-source personal AI agent framework OpenClaw released the v2026.5.18 version on May 18, with key updates including switching the Android client to real-time voice sessions based on gateway relaying, and fully unlocking support for multi-model configuration. At the same time, data security firm Cyera disclosed that researchers found four security vulnerabilities in OpenClaw that can be chained together (collectively referred to as the “claw chain”).
## Main confirmed updates in v2026.5.18
Android real-time voice: streaming microphone input + real-time audio playback + tool-result bridging + on-screen real-time subtitles; mobile users can wake by voice and run local toolchains
Full unlock of GPT-5: remove configuration blocks for GPT-5.1, GPT-5.2, GPT-5.3, and openai-codex; remove forced abbreviated truncation for GPT-5 final responses; enable strict agent execution to automatically write logs
defineToolPlugin minimalist plugin interface: includes openclaw plugins build, validate, and init command-line tools; supports strongly typed declarations and automatically generates manifest and context factories
Memory-core incremental startup synchronization: during startup, only files that are missing, changed, or have size changes are incrementally indexed, significantly reducing cold-start time
## Claw chain vulnerabilities: confirmed details of four CVEs
Affected scope: all OpenClaw versions before April 23, 2026 (v2026.4.22) have been patched in v2026.4.22 and later versions.
CVE-2026-44112 (CVSS 9.6, most severe): a time-of-check time-of-use (TOCTOU) vulnerability in the OpenShell sandbox, allowing modification of system configuration files, implanting backdoors, and achieving persistent system-level control
CVE-2026-44115 (CVSS 8.8): a logic flaw that allows access to API keys, tokens, credentials, and sensitive data
CVE-2026-44118 (CVSS 7.8): a privilege-escalation vulnerability caused by improper session validation
CVE-2026-44113 (CVSS 7.8): another TOCTOU vulnerability that enables unauthorized access to configuration files and credentials
Attack chain (confirmed by Cyera): an attacker can gain initial foothold through a malicious plugin or by tampering with prompts → exploit read/command-execution vulnerabilities to collect credentials → obtain administrative control through the privilege-escalation vulnerability → implant a backdoor to establish persistent access. Cyera noted: “Each step looks like normal agent behavior to traditional control measures, significantly increasing detection difficulty.”
## FAQ
#### The claw chain vulnerabilities have been patched—what actions should existing users take?
Based on Cyera’s report, all four vulnerabilities affected versions before v2026.4.22, and maintainers have completed the patches. Users should confirm they have updated to v2026.4.22 or later versions (including the latest v2026.5.18) to eliminate the above vulnerability risks.
#### Why is OpenClaw more likely to become a high-risk attack target than typical software?
OpenClaw requires high-trust system access, including the file system, terminal environment, development tools, messaging platforms, calendars, APIs, and other connected systems. Justin Fier confirmed that because the access permissions granted to the agent itself are inherently trusted, any related traffic may appear to be normal behavior, and every step in the attack chain is difficult for traditional security monitoring tools to identify.
#### What other previously recorded security vulnerabilities has OpenClaw had?
OpenClaw (originally named Clawdbot, later renamed MoltBot, released in November 2025) has had multiple recorded vulnerabilities since going live, including: CVE-2026-25253 (token theft), CVE-2026-24763/25157/25475 (command and prompt-character injection), and a vulnerability reported last month by Oasis Security that allowed attackers to hijack AI agents via a malicious website.
