VYPR
vulnerabilityPublished Jul 10, 2026· 1 source

Three OpenClaw Vulnerabilities Enable WhatsApp-to-Host Attack Chain

A researcher has detailed how three patched vulnerabilities in the OpenClaw AI assistant can be chained to achieve credential theft, privilege escalation, and arbitrary code execution, potentially leading to full host compromise.

A security researcher has uncovered a critical attack chain involving three vulnerabilities within the OpenClaw AI assistant, which, if exploited, could allow an attacker to gain control of the host system. The flaws, now patched by the vendor, could enable credential theft, privilege escalation, and arbitrary code execution, with the potential to be triggered by messages sent via WhatsApp.

The vulnerabilities, identified as GHSA-hjr6-g723-hmfm (CVSS 8.8), GHSA-9969-8g9h-rxwm (CVSS 8.8), and GHSA-575v-8hfq-m3mc (CVSS 8.4), all relate to the host execution environment's filtering mechanisms and path traversal capabilities. The first two flaws involve operating system command injection and incomplete input disallowance, while the third exploits a path traversal and link following issue that bypasses directory denylists.

According to security researcher Chinmohan Nayak, who discovered and reported these issues, the vulnerabilities can be chained together to execute arbitrary code on the host system. Unlike previous attacks that might require an initial foothold, this chain allows for direct exploitation from an external message, such as one sent through WhatsApp, to achieve significant system compromise.

A key aspect of the exploit involves bypassing directory restrictions. The getBlockedReasonForSourcePath() function, intended to prevent access to sensitive directories like ~/.ssh, ~/.aws, and ~/.gnupg, fails to check for reverse path traversal. This means an attacker can mount a parent directory, such as /home or /var, into the container, thereby gaining access to all user SSH keys, AWS credentials, GPG secrets, or even the Docker socket, which grants full host escape.

OpenClaw maintainers have addressed these issues in version 2026.6.6. The advisories released by the company note that the practical impact depends on the operator's configuration and the ability for low-trust input to reach vulnerable paths. However, the researcher's demonstration highlights a plausible and severe attack scenario.

To mitigate these risks, users are advised to update OpenClaw to the latest version. Additional security measures include enabling sandbox mode for all non-main sessions, removing 'exec' from the tool allowlist for channel-facing agents, and monitoring for suspicious git clone commands that utilize the 'ext::' external protocol helper.

OpenClaw also recommends restricting the affected feature to trusted operators or disabling it when not in use. General hardening advice includes maintaining narrow channel and tool allowlists, avoiding shared Gateways between untrusted users, and ensuring the affected feature is only enabled when necessary. These steps are crucial for preventing unauthorized access and maintaining the integrity of host systems running the AI assistant.

The discovery underscores the growing security challenges associated with AI assistants and the critical need for robust vulnerability management and secure coding practices in AI development. As AI tools become more integrated into daily workflows, understanding and mitigating such complex attack chains is paramount for cybersecurity.

Synthesized by Vypr AI