Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Three high-severity OpenClaw vulnerabilities highlight emerging AI agent security risks

0
High
Security-newscybersecurityreddit
Published: 07/10/2026 (07/10/2026, 17:02:43 UTC)
Source: Reddit Cybersecurity

Description

Three high-severity vulnerabilities were discovered and patched in the OpenClaw AI assistant, affecting its host execution environment. These flaws include operating system command injection and path traversal issues that could allow unauthorized code execution, privilege escalation, and credential theft. The vulnerabilities were demonstrated to enable host code execution triggered by an external WhatsApp message under documented deployment configurations. The issues have been addressed in OpenClaw version 2026.6.6. Mitigations include updating to the patched version, enabling sandbox mode for non-main sessions, restricting tool allowlists, and limiting feature exposure to trusted operators.

Reddit Discussion

r/cybersecurity·posted by u/Lazy_Curve3899
00

I recently disclosed three high-severity vulnerabilities affecting OpenClaw that have now been patched in version 2026.6.6.

The research looks at different parts of an AI agent execution workflow, including environment variable handling, Git operations, and container isolation. One of the demonstrations shows how, under the documented deployment configuration, a seemingly legitimate WhatsApp message can ultimately lead to host-side code execution.

The goal wasn't just to find bugs, but to better understand how AI agents behave as they're given access to developer tools, messaging platforms, repositories, and local execution environments.

The research was published today by The Hacker News:

https://thehackernews.com/2026/07/researcher-details-whatsapp-to-host.html

I also published a technical deep dive covering the attack scenarios, root causes, and mitigations:

https://medium.com/@chinmohannayak/i-sent-a-whatsapp-message-to-an-ai-agent-it-ran-my-code-on-the-host-adbbcbb0e0ad

GitHub Security Advisories:

Affected software

Affected versions
<2026.6.6

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/10/2026, 18:17:32 UTC

Technical Analysis

Three high-severity vulnerabilities in OpenClaw were disclosed, involving OS command injection with incomplete input filtering (GHSA-hjr6-g723-hmfm and GHSA-9969-8g9h-rxwm, CVSS 8.8 each) and a path traversal with bind mount bypass of directory denylist checks (GHSA-575v-8hfq-m3mc, CVSS 8.4). These flaws could allow attackers to execute arbitrary code on the host, escalate privileges, and steal credentials by bypassing sandbox restrictions. The path traversal vulnerability allows mounting parent directories like /home or /var, exposing sensitive files and Docker socket access. The vulnerabilities were exploited via AI agent workflows, including WhatsApp messages triggering host code execution. All issues are fixed in OpenClaw 2026.6.6. Operators are advised to restrict affected features, enable sandboxing, and narrow tool allowlists to reduce risk.

Potential Impact

Successful exploitation could lead to arbitrary code execution on the host system, privilege escalation, and theft of sensitive credentials such as SSH keys, AWS credentials, and GPG secrets. The path traversal vulnerability enables sandbox escape by mounting sensitive directories, potentially exposing the Docker socket and allowing full host compromise. The vulnerabilities do not require prior foothold and can be triggered remotely via external messages (e.g., WhatsApp).

Mitigation Recommendations

A fixed version of OpenClaw (2026.6.6) is available and should be applied promptly. Operators should enable sandbox mode for all non-main sessions, remove 'exec' from tool allowlists for channel-facing agents, and monitor for suspicious git clone commands using external protocol helpers. Before upgrading, restrict affected features to trusted operators or disable them if not needed. General hardening includes narrowing channel and tool allowlists and avoiding sharing gateways between untrusted users.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Source Type
reddit
Subreddit
cybersecurity
Reddit Score
0
Discussion Level
minimal
Content Source
reddit_link_post
Post Type
link
Domain
null
Newsworthiness Assessment
{"score":35,"reasons":["external_link","established_author","recent_news"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
Has External Source
true
Trusted Domain
false

Threat ID: 6a51373568715ace43f94ebe

Added to database: 07/10/2026, 18:17:25 UTC

Last enriched: 07/10/2026, 18:17:32 UTC

Last updated: 07/10/2026, 20:07:21 UTC

Views: 156

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses