Claw Chain: Cyera Research Unveil Four Chainable Vulnerabilities in OpenClaw

Cyera disclosed four critical/severe vulnerabilities in OpenClaw agents (CVE-2026-44112, CVE-2026-44115, CVE-2026-44118, CVE-2026-44113) that enable sandbox read/write escapes, environment-variable/secret disclosure, and privilege escalation; these can be chained from a single malicious plugin or prompt injection to exfiltrate secrets, escalate to owner privileges, and achieve persistence. The flaws were patched April 23, 2026, but large numbers of publicly reachable instances increase the attack surface and urgency for patching, secret rotation, and network/hardening controls.