- Three high-severity flaws in the OpenClaw AI assistant (CVSS 8.8, 8.8, 8.4) could enable credential theft, privilege escalation, and arbitrary code execution.
- Researcher Chinmohan Nayak demonstrated host code execution by sending a WhatsApp message to an OpenClaw agent, exploiting sandbox escape and command injection.
- All vulnerabilities have been patched in version 2026.6.6; users should upgrade and restrict tool allowlists to mitigate risks.
Details have emerged about three now-patched security flaws in the OpenClaw personal AI assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. The high-severity vulnerabilities include two operating system command injection bugs (GHSA-hjr6-g723-hmfm and GHSA-9969-8g9h-rxwm) both rated CVSS 8.8, and a path traversal flaw (GHSA-575v-8hfq-m3mc) rated CVSS 8.4.
The path traversal issue allows sandbox bind mounts to bypass parent-directory denylist checks, according to an explanatory paper. Researcher Chinmohan Nayak, who discovered the flaws, demonstrated in a report that a WhatsApp message could trigger host code execution without requiring a prior foothold.
Unlike previous vulnerabilities in the Claw Chain disclosed in May, these bugs do not need an attacker to already be inside the system. Nayak explained that the denylist blocks directories like “~/.ssh” but fails to block the parent directory “/home,” effectively allowing credential theft.
Mounting “/home” into a container exposes SSH keys, AWS credentials, and GPG secrets, while mounting “/var” grants access to the Docker socket, enabling full host escape. OpenClaw maintainers advised that “practical impact depends on the operator’s configuration and whether lower-trust input can reach that path.”
All three shortcomings have been addressed in OpenClaw version 2026.6.6. Users should enable sandbox mode for non-main sessions, remove “exec” from tool allowlists, and monitor for git clone commands using the “ext::” protocol helper. OpenClaw stated: “Before upgrading, restrict the affected feature to trusted operators or disable it when it is not needed.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
