Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

The OpenClaw Vulnerability Saga: A Thorough Examination of the WhatsApp-to-Host Attack Chain


Researchers Discover Three High-Severity Vulnerabilities in OpenClaw AI Assistant

  • Three high-severity vulnerabilities were discovered in the OpenClaw personal AI assistant.
  • The vulnerabilities could enable credential theft, privilege escalation, and arbitrary code execution on the host.
  • The first two vulnerabilities are rated 8.8 on the Common Vulnerability Scoring System (CVSS) and impact the host execution environment filtering mechanism.
  • The third vulnerability is rated 8.4 on the CVSS scale and allows sandbox bind mounts to bypass parent-directory denylist checks.
  • The vulnerabilities can be exploited by triggering a host code execution from an external message sent via WhatsApp.



  • The security landscape has been abuzz with the recent revelation of three high-severity vulnerabilities in the OpenClaw personal artificial intelligence (AI) assistant, which, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. In this article, we will delve into the intricacies of these vulnerabilities, their impact, and the necessary steps to mitigate them.

    The discovery of these vulnerabilities was attributed to security researcher Chinmohan Nayak, who reported the issues in a series of advisories released last week. According to Nayak, the vulnerabilities could be used to trigger host code execution from an external message sent via WhatsApp. This revelation sparked widespread concern among cybersecurity experts and users alike, as it highlighted the potential for OpenClaw to be exploited for malicious purposes.

    A closer examination of the vulnerabilities reveals that there are three distinct flaws in the OpenClaw AI assistant: GHSA-hjr6-g723-hmfm, GHSA-9969-8g9h-rxwm, and GHSA-575v-8hfq-m3mc. The first two vulnerabilities, both rated 8.8 on the Common Vulnerability Scoring System (CVSS), are described as operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization.

    The third vulnerability, GHSA-575v-8hfq-m3mc, is rated 8.4 on the CVSS scale and is described as a path traversal and link following vulnerability that could allow sandbox bind mounts to bypass parent-directory denylist checks and perform actions that should have been secured with stronger authorization or policy checks.

    According to Nayak, the root cause of these vulnerabilities lies in the "getBlockedReasonForSourcePath()" check, which never checks the reverse — whether a blocked path is under the source (parent directory bypass). This oversight allowed attackers to mount the parent directory "/home" or "/var," effectively undermining the individual blocks.

    The implications of these vulnerabilities are far-reaching and can have significant consequences for users who rely on OpenClaw. Chinmohan Nayak warned that practical impact depends on the operator's configuration and whether lower-trust input can reach that path. However, he also emphasized that security researcher Chinmohan Nayak, who is credited with discovering and reporting the issues, said "practical impact depends on the operator's configuration and whether lower-trust input can reach that path."

    In response to these vulnerabilities, OpenClaw maintainers have released a patch for version 2026.6.6, which addresses all three shortcomings. In addition, they advised users to enable sandbox mode for all non-main sessions, remove "exec" from the tool allowlist for channel-facing agents, and monitor for git clone commands containing the "ext::" external protocol helper that could be abused to run arbitrary system commands.

    Furthermore, OpenClaw recommend restricting the affected feature to trusted operators or disabling it when it is not needed. They also suggested keeping channel and tool allowlists narrow, avoiding sharing one Gateway between mutually untrusted users, and disabling the affected feature when it is not needed.

    In light of these revelations, cybersecurity experts are urging users to take immediate action to protect themselves against potential exploitation of OpenClaw vulnerabilities. This includes updating OpenClaw to the latest version, enabling sandbox mode for all non-main sessions, removing "exec" from the tool allowlist for channel-facing agents, and monitoring for git clone commands containing the "ext::" external protocol helper.

    Moreover, security experts are advising users to restrict the affected feature to trusted operators or disabling it when it is not needed. They also recommended keeping channel and tool allowlists narrow, avoiding sharing one Gateway between mutually untrusted users, and disabling the affected feature when it is not needed.

    In conclusion, the recent discovery of three high-severity vulnerabilities in OpenClaw highlights the importance of regular security updates and patching. It also emphasizes the need for users to remain vigilant and proactive in protecting themselves against potential exploitation of these vulnerabilities. By taking immediate action and implementing recommended mitigations, users can significantly reduce their risk exposure.

    Researchers Discover Three High-Severity Vulnerabilities in OpenClaw AI Assistant



    Related Information:
  • https://www.ethicalhackingnews.com/articles/The-OpenClaw-Vulnerability-Saga-A-Thorough-Examination-of-the-WhatsApp-to-Host-Attack-Chain-ehn.shtml

  • https://thehackernews.com/2026/07/researcher-details-whatsapp-to-host.html

  • https://vulners.com/thn/THN:AD965B7B750EE3BB6BC478DD173872EB


  • Published: Fri Jul 10 10:22:20 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us