Researcher Describes WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

Details have emerged about three patched security flaws in the OpenClaw personalartificial intelligence (AI) helper that, if successfully exploited, could enable identity theft, privilege escalation, and arbitrary code execution on a host.
A brief definition of high risk is as follows –
- GHSA-hjr6-g723-hmfm (CVSS score: 8.8) – Operating system command injection and a non-exhaustive list of disallowed input vulnerabilities affecting the filtering mechanism of the signing environment that may allow performing or continuing actions beyond the caller’s intended authorization.
- GHSA-9969-8g9h-rxwm (CVSS score: 8.8) – Operating system command injection and a non-exhaustive list of disallowed input vulnerabilities affecting the filtering mechanism of the signing environment that may allow performing or continuing actions beyond the caller’s intended authorization.
- GHSA-575v-8hfq-m3mc (CVSS score: 8.4) – A cross-path and cross-link vulnerability that could allow sandbox installations to bypass parent denial-list checks and perform actions that should be protected by strict authorization or policy checks.
All three bugs have been resolved in OpenClaw version 2026.6.6.

In a series of advisories issued last week, OpenClaw maintainers said that “effective impact depends on user configuration and whether low-trust installations can access that path.”
However, security researcher Chinmohan Nayak, who is credited with discovering and reporting these issues, said in a report shared with Hacker News that they could be used to trigger the extraction of host code from an external message sent via WhatsApp.

Unlike the Claw Chain vulnerability disclosed by Cyera back in May, the newly identified bugs do not require an attacker to find a location where they would need to extract sensitive data, drop a persistent backend, detect arbitrary remote code execution, and perform a runaway on the host.
“`getBlockedReasonForSourcePath()` checks if the source path is under a blocked path,” the researcher explained about GHSA-575v-8hfq-m3mc. “But [it] never checks the opposite – that the blocked path is under the source (parent directory bypass).”
Specifically, bind mount denylist blocks directories such as “~/.ssh,” “~/.aws,” and “~/.gnupg,” but allows mounting the parent directory “/home” or “/var,” effectively undermining individual blocks.
“Trade/home in your container, and you can read all users’ SSH keys, AWS credentials, and GPG secrets,” Nayak said. “Mount /var and get a Docker socket – which means the full host has escaped inside the ‘sandbox.'”
Besides updating OpenClaw to the latest version, it is advised to enable the sandbox mode for all non-essential sessions, remove “exec” from the authorized list of agents facing the channel, and watch out for git clone commands that contain “ext::” an external protocol helper that can be abused to run system commands arbitrarily.
“Before upgrading, limit the affected feature to trusted users or disable it when not needed,” OpenClaw said. “As a general rule of thumb, keep the channel and device permission list narrow, avoid sharing a single Gateway between untrusted users, and disable the affected feature when not needed.”



