Researcher Reveals WhatsApp To Host Attack Chain Exploiting Three OpenClaw Vulnerabilities

Researcher Reveals WhatsApp To Host Attack Chain Exploiting Three OpenClaw Vulnerabilities

A security researcher has disclosed details about three recently patched vulnerabilities in the OpenClaw personal artificial intelligence assistant that could be chained together to enable credential theft, privilege escalation, and arbitrary code execution on a host system. The flaws, which have now been addressed in OpenClaw version 2026.6.6, were discovered by researcher Chinmohan Nayak and have been assigned high severity ratings. According to the findings, the vulnerabilities can potentially be exploited through an external message delivered via WhatsApp, creating an attack path that allows malicious actors to compromise host systems without requiring prior access.

The vulnerabilities include two command injection issues tracked as GHSA hjr6 g723 hmfm and GHSA 9969 8g9h rxwm, both carrying CVSS scores of 8.8. These flaws impact the host execution environment filtering mechanism and could allow attackers to execute commands or establish persistence beyond intended authorization boundaries. A third vulnerability, tracked as GHSA 575v 8hfq m3mc and assigned a CVSS score of 8.4, involves path traversal and link following weaknesses that can bypass sandbox restrictions and perform actions that should otherwise require stronger authorization controls. OpenClaw maintainers previously noted that the practical impact of these issues depends on how the software is configured and whether lower trust inputs can reach vulnerable components. However, Nayak’s research suggests that the vulnerabilities can be chained in a way that enables direct exploitation through external communication channels.

According to the researcher, the path traversal issue stems from the way OpenClaw verifies blocked source paths. The affected function checks whether a source path falls under a blocked directory but fails to determine whether a blocked path exists within a mounted parent directory. This weakness enables attackers to bypass restrictions designed to protect sensitive directories such as SSH keys, AWS credentials, and GPG secrets. By mounting broader directories such as home or var into the container environment, an attacker could potentially gain access to sensitive data and even obtain full host escape capabilities through access to resources such as the Docker socket. The researcher noted that these newly identified vulnerabilities differ from the Claw Chain issues disclosed by Cyera in May because they do not require attackers to first establish a foothold on the target system before stealing data, installing persistent backdoors, or executing arbitrary code.

OpenClaw has advised users to upgrade immediately to version 2026.6.6 to address the vulnerabilities and reduce the risk of exploitation. The project maintainers also recommended enabling sandbox mode for all non primary sessions, removing the exec capability from tool allowlists for externally facing agents, and monitoring systems for git clone commands containing the ext protocol helper, which could be misused to execute system commands. Additional hardening recommendations include restricting access to affected features to trusted operators, limiting channel and tool allowlists, avoiding the use of a shared gateway among mutually untrusted users, and disabling vulnerable features when they are not required. The findings underscore the growing focus on securing AI powered assistants and their interaction with host systems as these platforms increasingly gain access to sensitive data and system level functionality.

Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.

Source

Post Comment