Back to Feed
VulnerabilitiesJul 10, 2026

Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

Three high-severity OpenClaw AI flaws enable WhatsApp-to-host attack chain with credential theft and RCE.

Summary

Security researcher Chinmohan Nayak disclosed three patched vulnerabilities in OpenClaw personal AI assistant (CVSS 8.4-8.8) that can be exploited via external WhatsApp messages to achieve host code execution without prior foothold. The flaws include OS command injection, incomplete input filtering, and path traversal allowing sandbox bypass via parent directory manipulation. OpenClaw version 2026.6.6 addresses all three issues; users are advised to enable sandbox mode, restrict tool allowlists, and monitor for suspicious git clone commands.

Full text

Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws Ravie LakshmananJul 10, 2026AI Security / Vulnerability Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. A brief description of the high-severity vulnerabilities is as follows - GHSA-hjr6-g723-hmfm (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization. GHSA-9969-8g9h-rxwm (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization. GHSA-575v-8hfq-m3mc (CVSS score: 8.4) - A path traversal and link following vulnerability that could allow sandbox bind mounts to bypass parent-directory denylist checks and perform actions that should have been secured with stronger authorization or policy checks. All three shortcomings have been addressed in OpenClaw version 2026.6.6. In a series of advisories released last week, OpenClaw maintainers said "practical impact depends on the operator's configuration and whether lower-trust input can reach that path." However, security researcher Chinmohan Nayak, who is credited with discovering and reporting the issues, said in a report shared with The Hacker News that they can be used to trigger host code execution from an external message sent via WhatsApp. Unlike the Claw Chain vulnerabilities disclosed by Cyera back in May, the newly identified bugs do not require an attacker to establish a prior foothold in order to extract sensitive data, drop a persistent backdoor, obtain arbitrary remote code execution, and facilitate an escape to the host. "`getBlockedReasonForSourcePath()` checks if the source path is under a blocked path," the researcher explained about GHSA-575v-8hfq-m3mc. "But [it] never checks the reverse — whether a blocked path is under the source (parent directory bypass)." Specifically, the bind mount denylist blocks directories like "~/.ssh," "~/.aws," and "~/.gnupg,” but allows mounting the parent directory "/home" or "/var," effectively undermining the individual blocks. "Mount /home into your container, and you can read every user's SSH keys, AWS credentials, and GPG secrets," Nayak said. "Mount /var and you get the Docker socket – which means full host escape from inside the 'sandbox.'" Besides updating OpenClaw to the latest version, it's advised to enable sandbox mode for all non-main sessions, remove "exec" from the tool allowlist for channel-facing agents, and monitor for git clone commands containing the "ext::" external protocol helper that could be abused to run arbitrary system commands. "Before upgrading, restrict the affected feature to trusted operators or disable it when it is not needed," OpenClaw said. "As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  AI Security, Application Security, Code Execution, Container Security, Messaging Security, Open Source, privilege escalation, Sandbox Escape, Vulnerability ⚡ Top Stories This Week ThreatsDay: AI Compute Hijacking, Apple Email Flaw, BlueHammer Ransomware + 14 Stories Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New DirtyClone Linux Kernel Flaw Lets Local Users Gain Root via Cloned Packets Amazon Q Developer Flaw Could Let Malicious Repos Run Code via MCP Configs New Linux pedit COW Exploit Enables Root Access by Poisoning Cached Binaries OpenAI Previews GPT-5.6 Sol With Restricted Access and Stronger Cyber Safeguards FBI Warns Russian Intelligence Hackers Target Signal Backup Recovery Keys Public PoC Released for Critical libssh2 CVE-2026-55200 Client-Side SSH Flaw Microsoft Removes 119 Edge Extensions That Hid Malware in Images and Fonts ⚡ Weekly Recap: Linux Kernel Flaws, AI Malware Tricks, Turla Backdoor, Infostealers and More Mustang Panda Uses Zoho WorkDrive as Command Channel in Indian Government Attacks WhatsApp is Finally Getting Usernames to Help Keep Phone Numbers Private Oracle E-Business Suite Flaw CVE-2026-46817 Actively Exploited in the Wild New BioShocking Attack Tricks AI Browsers Into Leaking User Credentials AirDrop and Quick Share Flaws Let Nearby Attackers Trigger Crashes and Bypass Checks 282 iOS AI Apps Leak API Keys and Open AI Proxy Access in Network Traffic Study GuardFall Exposes Open-Source AI Coding Agents to Decades-Old Shell Injection Risks Microsoft Warns Poisoned MCP Tool Descriptions Can Make AI Agents Leak Data RustDuck Botnet Rebuilds in Rust to Hijack Routers and Servers for DDoS ⭐ Featured Resources What 200+ Security Teams Reveal About Using IP Intelligence in 2026 Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets Get Gartner’s Guide to AI Agent Supervision and Runtime Controls

Entities

OpenClaw (product)WhatsApp (technology)Chinmohan Nayak (researcher) (threat_actor)