Three high-severity OpenClaw vulnerabilities highlight emerging AI agent security risks
Three high-severity vulnerabilities were discovered and patched in the OpenClaw AI assistant, affecting its host execution environment. These flaws include operating system command injection and path traversal issues that could allow unauthorized code execution, privilege escalation, and credential theft. The vulnerabilities were demonstrated to enable host code execution triggered by an external WhatsApp message under documented deployment configurations. The issues have been addressed in OpenClaw version 2026.6.6. Mitigations include updating to the patched version, enabling sandbox mode for non-main sessions, restricting tool allowlists, and limiting feature exposure to trusted operators.
AI Analysis
Technical Summary
Three high-severity vulnerabilities in OpenClaw were disclosed, involving OS command injection with incomplete input filtering (GHSA-hjr6-g723-hmfm and GHSA-9969-8g9h-rxwm, CVSS 8.8 each) and a path traversal with bind mount bypass of directory denylist checks (GHSA-575v-8hfq-m3mc, CVSS 8.4). These flaws could allow attackers to execute arbitrary code on the host, escalate privileges, and steal credentials by bypassing sandbox restrictions. The path traversal vulnerability allows mounting parent directories like /home or /var, exposing sensitive files and Docker socket access. The vulnerabilities were exploited via AI agent workflows, including WhatsApp messages triggering host code execution. All issues are fixed in OpenClaw 2026.6.6. Operators are advised to restrict affected features, enable sandboxing, and narrow tool allowlists to reduce risk.
Potential Impact
Successful exploitation could lead to arbitrary code execution on the host system, privilege escalation, and theft of sensitive credentials such as SSH keys, AWS credentials, and GPG secrets. The path traversal vulnerability enables sandbox escape by mounting sensitive directories, potentially exposing the Docker socket and allowing full host compromise. The vulnerabilities do not require prior foothold and can be triggered remotely via external messages (e.g., WhatsApp).
Mitigation Recommendations
A fixed version of OpenClaw (2026.6.6) is available and should be applied promptly. Operators should enable sandbox mode for all non-main sessions, remove 'exec' from tool allowlists for channel-facing agents, and monitor for suspicious git clone commands using external protocol helpers. Before upgrading, restrict affected features to trusted operators or disable them if not needed. General hardening includes narrowing channel and tool allowlists and avoiding sharing gateways between untrusted users.
Three high-severity OpenClaw vulnerabilities highlight emerging AI agent security risks
Description
Three high-severity vulnerabilities were discovered and patched in the OpenClaw AI assistant, affecting its host execution environment. These flaws include operating system command injection and path traversal issues that could allow unauthorized code execution, privilege escalation, and credential theft. The vulnerabilities were demonstrated to enable host code execution triggered by an external WhatsApp message under documented deployment configurations. The issues have been addressed in OpenClaw version 2026.6.6. Mitigations include updating to the patched version, enabling sandbox mode for non-main sessions, restricting tool allowlists, and limiting feature exposure to trusted operators.
Reddit Discussion
I recently disclosed three high-severity vulnerabilities affecting OpenClaw that have now been patched in version 2026.6.6.
The research looks at different parts of an AI agent execution workflow, including environment variable handling, Git operations, and container isolation. One of the demonstrations shows how, under the documented deployment configuration, a seemingly legitimate WhatsApp message can ultimately lead to host-side code execution.
The goal wasn't just to find bugs, but to better understand how AI agents behave as they're given access to developer tools, messaging platforms, repositories, and local execution environments.
The research was published today by The Hacker News:
https://thehackernews.com/2026/07/researcher-details-whatsapp-to-host.html
I also published a technical deep dive covering the attack scenarios, root causes, and mitigations:
GitHub Security Advisories:
Links cited in this discussion
- https://thehackernews.com/2026/07/researcher-details-whatsapp-to-host.html
- https://medium.com/@chinmohannayak/i-sent-a-whatsapp-message-to-an-ai-agent-it-ran-my-code…
- https://github.com/openclaw/openclaw/security/advisories/GHSA-hjr6-g723-hmfm
- https://github.com/openclaw/openclaw/security/advisories/GHSA-9969-8g9h-rxwm
- https://github.com/openclaw/openclaw/security/advisories/GHSA-575v-8hfq-m3mc
Affected software
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Three high-severity vulnerabilities in OpenClaw were disclosed, involving OS command injection with incomplete input filtering (GHSA-hjr6-g723-hmfm and GHSA-9969-8g9h-rxwm, CVSS 8.8 each) and a path traversal with bind mount bypass of directory denylist checks (GHSA-575v-8hfq-m3mc, CVSS 8.4). These flaws could allow attackers to execute arbitrary code on the host, escalate privileges, and steal credentials by bypassing sandbox restrictions. The path traversal vulnerability allows mounting parent directories like /home or /var, exposing sensitive files and Docker socket access. The vulnerabilities were exploited via AI agent workflows, including WhatsApp messages triggering host code execution. All issues are fixed in OpenClaw 2026.6.6. Operators are advised to restrict affected features, enable sandboxing, and narrow tool allowlists to reduce risk.
Potential Impact
Successful exploitation could lead to arbitrary code execution on the host system, privilege escalation, and theft of sensitive credentials such as SSH keys, AWS credentials, and GPG secrets. The path traversal vulnerability enables sandbox escape by mounting sensitive directories, potentially exposing the Docker socket and allowing full host compromise. The vulnerabilities do not require prior foothold and can be triggered remotely via external messages (e.g., WhatsApp).
Mitigation Recommendations
A fixed version of OpenClaw (2026.6.6) is available and should be applied promptly. Operators should enable sandbox mode for all non-main sessions, remove 'exec' from tool allowlists for channel-facing agents, and monitor for suspicious git clone commands using external protocol helpers. Before upgrading, restrict affected features to trusted operators or disable them if not needed. General hardening includes narrowing channel and tool allowlists and avoiding sharing gateways between untrusted users.
Technical Details
- Source Type
- Subreddit
- cybersecurity
- Reddit Score
- 0
- Discussion Level
- minimal
- Content Source
- reddit_link_post
- Post Type
- link
- Domain
- null
- Newsworthiness Assessment
- {"score":35,"reasons":["external_link","established_author","recent_news"],"isNewsworthy":true,"foundNewsworthy":[],"foundNonNewsworthy":[]}
- Has External Source
- true
- Trusted Domain
- false
Threat ID: 6a51373568715ace43f94ebe
Added to database: 07/10/2026, 18:17:25 UTC
Last enriched: 07/10/2026, 18:17:32 UTC
Last updated: 07/10/2026, 20:07:21 UTC
Views: 156
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.