Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws
Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws
https://thehackernews.com/2026/07/researcher-details-whatsapp-to-host.html
Publish Date: 2026-07-10 10:19:00
Source Domain: thehackernews.com
Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host.
A brief description of the high-severity vulnerabilities is as follows –
- GHSA-hjr6-g723-hmfm (CVSS score: 8.8) – An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller’s intended authorization.
- GHSA-9969-8g9h-rxwm (CVSS score: 8.8) – An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller’s intended authorization.
- GHSA-575v-8hfq-m3mc (CVSS score: 8.4) – A path traversal and link following vulnerability that could allow sandbox bind mounts to bypass parent-directory denylist checks and perform actions that should have been secured with stronger authorization or policy checks.
All three shortcomings have been addressed in OpenClaw version 2026.6.6.

In a series of advisories released last week, OpenClaw maintainers said “practical impact depends on the operator’s configuration and whether lower-trust input can reach that path.”
However, security researcher Chinmohan Nayak, who is credited with discovering and reporting the issues, said in a report shared with The Hacker News that they can be used to trigger host code execution from an external message sent via WhatsApp.

Unlike the Claw Chain vulnerabilities disclosed by Cyera back in May, the newly identified bugs do not require an attacker to establish a prior foothold in order to extract sensitive data, drop a persistent backdoor, obtain arbitrary remote…