Recent disclosures have unveiled three critical vulnerabilities in the OpenClaw personal AI assistant, which, if exploited, could lead to credential theft, privilege escalation, and arbitrary code execution on the host system. These flaws have been addressed in OpenClaw version 2026.6.6.
Details of the Vulnerabilities
The identified vulnerabilities are as follows:
- GHSA-hjr6-g723-hmfm (CVSS score: 8.8): This flaw involves an operating system command injection and an incomplete list of disallowed inputs within the host execution environment filtering mechanism. Exploitation could allow unauthorized execution or persistence of actions beyond the caller’s intended authorization.
- GHSA-9969-8g9h-rxwm (CVSS score: 8.8): Similar to the first, this vulnerability pertains to command injection and insufficient input filtering, potentially enabling unauthorized actions.
- GHSA-575v-8hfq-m3mc (CVSS score: 8.4): This issue involves path traversal and link following vulnerabilities, allowing sandbox bind mounts to bypass parent-directory denylist checks and perform unauthorized actions.
Exploitation via WhatsApp
Security researcher Chinmohan Nayak, who discovered these vulnerabilities, demonstrated that they could be exploited through external messages sent via WhatsApp. Unlike previous vulnerabilities that required prior access, these flaws can be leveraged without an initial foothold, enabling attackers to extract sensitive data, install persistent backdoors, execute arbitrary code remotely, and escape to the host system.
Specifically, the vulnerability GHSA-575v-8hfq-m3mc fails to check if a blocked path is under the source directory, allowing attackers to mount directories like /home or /var. This oversight grants access to users’ SSH keys, AWS credentials, GPG secrets, and even the Docker socket, facilitating full host escape from within the sandbox environment.
Mitigation Measures
To mitigate these risks, users are advised to:
- Update OpenClaw to version 2026.6.6.
- Enable sandbox mode for all non-main sessions.
- Remove “exec” from the tool allowlist for channel-facing agents.
- Monitor for
git clonecommands containing the “ext::” external protocol helper, which could be exploited to run arbitrary system commands.
OpenClaw maintainers recommend restricting the affected feature to trusted operators or disabling it when not needed. Additionally, maintaining narrow channel and tool allowlists, avoiding shared Gateways between untrusted users, and disabling unnecessary features are advised for general hardening.
These vulnerabilities underscore the importance of rigorous security assessments in AI assistants and the potential risks associated with integrating such technologies with widely used communication platforms like WhatsApp. Users should promptly apply the recommended updates and adhere to best practices to safeguard their systems against potential exploits.