Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws
Three high-severity vulnerabilities in OpenClaw allow attackers to bypass security controls, leading to credential theft, privilege escalation, and arbitrary code execution. The flaws include OS command injection due to incomplete input filtering and a path traversal vulnerability that enables sandbox escape via parent directory bypass. Exploitation chain allows remote code execution triggered by external messages (e.g., via WhatsApp) without requiring prior foothold. All issues were patched in
Analysis
TL;DR
- Three high-severity vulnerabilities in OpenClaw allow attackers to bypass security controls, leading to credential theft, privilege escalation, and arbitrary code execution.
- The flaws include OS command injection due to incomplete input filtering and a path traversal vulnerability that enables sandbox escape via parent directory bypass.
- Exploitation chain allows remote code execution triggered by external messages (e.g., via WhatsApp) without requiring prior foothold.
- All issues were patched in OpenClaw version 2026.6.6, with recommendations to enforce strict sandboxing and narrow tool allowlists.
Why It Matters
This incident highlights critical risks in integrating AI assistants with messaging platforms and host systems, demonstrating how seemingly isolated sandbox environments can be compromised through logic flaws in path validation. For AI practitioners and security teams, it underscores the necessity of rigorous input sanitization and defense-in-depth strategies when exposing AI tools to untrusted external inputs.
Technical Details
- Command Injection (CVSS 8.8): Two separate CVEs (GHSA-hjr6-g723-hmfm and GHSA-9969-8g9h-rxwm) stem from an incomplete denylist of disallowed inputs, allowing attackers to inject OS commands that execute beyond intended authorization levels.
- Path Traversal & Sandbox Escape (CVSS 8.4): GHSA-575v-8hfq-m3mc exploits a logic error where
getBlockedReasonForSourcePath()checks if a source is under a blocked path but fails to check if a blocked path is under the source. This allows mounting parent directories (e.g.,/homeor/var) to access sensitive files like SSH keys, AWS credentials, or the Docker socket. - Exploitation Vector: Security researcher Chinmohan Nayak demonstrated that these vulnerabilities can be chained to execute host code directly from a WhatsApp message, bypassing the need for initial access.
- Mitigation: Patching to version 2026.6.6 is required. Additional hardening includes enabling sandbox mode for non-main sessions, removing "exec" from tool allowlists for channel-facing agents, and monitoring for abuse of external protocol helpers like
ext::.
Industry Insight
- Zero-Trust for AI Agents: Developers must assume that any interface exposed to external channels (like WhatsApp) is potentially hostile. Strict isolation between user inputs and host execution environments is non-negotiable.
- Defense in Depth: Relying solely on denylists for security is insufficient. Implementing allowlists, validating path relationships bidirectionally, and minimizing the attack surface by disabling unnecessary features are essential practices.
- Supply Chain & Configuration Risks: The ease of escaping a sandbox via misconfigured bind mounts suggests that many AI applications may have similar latent vulnerabilities. Regular audits of container configurations and permission models are critical for securing AI deployments.
Disclaimer: The above content is generated by AI and is for reference only.