Critical Flaws in OpenClaw AI Assistant Exposed: Remote Code Execution via WhatsApp
Three high-severity vulnerabilities in the **OpenClaw** personal AI assistant have been disclosed, potentially allowing for credential theft, privilege escalation, and arbitrary code execution. These flaws, now patched in version 2026.6.6, could be exploited remotely, even through external messages like those sent via **WhatsApp**.
Details have emerged about three now-patched security flaws in the **OpenClaw** personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host.
A brief description of the high-severity vulnerabilities is as follows:
* **GHSA-hjr6-g723-hmfm** (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization.
* **GHSA-9969-8g9h-rxwm** (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization.
* **GHSA-575v-8hfq-m3mc** (CVSS score: 8.4) - A path traversal and link following vulnerability that could allow sandbox bind mounts to bypass parent-directory denylist checks and perform actions that should have been secured with stronger authorization or policy checks.
All three shortcomings have been addressed in **OpenClaw** version 2026.6.6.

In a series of advisories released last week, **OpenClaw** maintainers said "practical impact depends on the operator's configuration and whether lower-trust input can reach that path."
However, security researcher **Chinmohan Nayak**, who is credited with discovering and reporting the issues, said in a report that they can be used to trigger host code execution from an external message sent via **WhatsApp**.

Unlike the **Claw Chain** vulnerabilities disclosed by **Cyera** back in May, the newly identified bugs do not require an attacker to establish a prior foothold in order to extract sensitive data, drop a persistent backdoor, obtain arbitrary remote code execution, and facilitate an escape to the host.
"`getBlockedReasonForSourcePath()` checks if the source path is under a blocked path," the researcher explained about **GHSA-575v-8hfq-m3mc**. "But [it] never checks the reverse β whether a blocked path is under the source (parent directory bypass)."
Specifically, the bind mount denylist blocks directories like `~/.ssh`, `~/.aws`, and `~/.gnupg`, but allows mounting the parent directory `/home` or `/var`, effectively undermining the individual blocks.
"Mount `/home` into your container, and you can read every user's SSH keys, AWS credentials, and GPG secrets," **Nayak** said. "Mount `/var` and you get the Docker socket β which means full host escape from inside the 'sandbox.'"
Besides updating **OpenClaw** to the latest version, it's advised to enable sandbox mode for all non-main sessions, remove "exec" from the tool allowlist for channel-facing agents, and monitor for git clone commands containing the `ext::` external protocol helper that could be abused to run arbitrary system commands.
"Before upgrading, restrict the affected feature to trusted operators or disable it when it is not needed," **OpenClaw** said. "As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed."