Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws 5%

By The Hacker News37%

7/12/2026, 1:11:41 PM

BS Summary: This article contains 2 faulty reasoning types, including Attempt to Sell a Product or Service, with Indoctrination as the most egregious example at 13% saturation with 109 hits. Analysis detected 144 faulty-reasoning hits from 840 analyzed words, generating a BS Score of 21% and a BS Rank of 5% (14,296 of 15,051 articles). This article is better (less manipulative) than 95.00% of the article peer group.

Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws 
 Ravie Lakshmanan  Jul 10, 2026 AI Security / Vulnerability 
Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. 
A brief description of the high-severity vulnerabilities is as follows - 
GHSA-hjr6-g723-hmfm (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization. 
GHSA-9969-8g9h-rxwm (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization. 
GHSA-575v-8hfq-m3mc (CVSS score: 8.4) - A path traversal and link following vulnerability that could allow sandbox bind mounts to bypass parent-directory denylist checks and perform actions that should have been secured with stronger authorization or policy checks. 
All three shortcomings have been addressed in OpenClaw version 2026.6.6. 
In a series of advisories released last week, OpenClaw maintainers said "practical impact depends on the operator's configuration and whether lower-trust input can reach that path." 
However, security researcher Chinmohan Nayak, who is credited with discovering and reporting the issues, said in a report shared with The Hacker News that they can be used to trigger host code execution from an external message sent via WhatsApp. 
Unlike the Claw Chain vulnerabilities disclosed by Cyera back in May, the newly identified bugs do not require an attacker to establish a prior foothold in order to extract sensitive data, drop a persistent backdoor, obtain arbitrary remote code execution, and facilitate an escape to the host. 
"`getBlockedReasonForSourcePath()` checks if the source path is under a blocked path," the researcher explained about GHSA-575v-8hfq-m3mc. 
"But [it] never checks the reverse  whether a blocked path is under the source (parent directory bypass)." 
Specifically, the bind mount denylist blocks directories like "~/.ssh," "~/.aws," and "~/.gnupg,” but allows mounting the parent directory "/home" or "/var," effectively undermining the individual blocks. 
"Mount /home into your container, and you can read every user's SSH keys, AWS credentials, and GPG secrets," Nayak said. 
"Mount /var and you get the Docker socket  which means full host escape from inside the 'sandbox.'" 
Besides updating OpenClaw to the latest version, it's advised to enable sandbox mode for all non-main sessions, remove "exec" from the tool allowlist for channel-facing agents, and monitor for git clone commands containing the "ext::" external protocol helper that could be abused to run arbitrary system commands. 
"Before upgrading, restrict the affected feature to trusted operators or disable it when it is not needed," OpenClaw said. 
"As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed." 
Found this article interesting? 
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post. 
AI Security , Application Security , Code Execution , Container Security , Messaging Security , Open Source , privilege escalation , Sandbox Escape , Vulnerability 
16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems 
BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA 
Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker 
Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots 
RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service 
15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros 
GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code 
New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware 
GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents 
Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It 
Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images 
ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories 
Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs 
Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets 
Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers 
New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions 
Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices 
New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android 
Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices 
European Parliament Member Investigating Spyware Was Hacked With Pegasus 
 Featured Resources 
What 200+ Security Teams Reveal About Using IP Intelligence in 2026 
Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges 
See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets 
Get Gartner’s Guide to AI Agent Supervision and Runtime Controls 
Confirmation Bias
0%
Anchoring Bias
0%
Availability Heuristic
0%
Representativeness Heuristic
0%
Hindsight Bias
0%
Overconfidence Bias
0%
Framing Effect
0%
Loss Aversion
0%
Status Quo Bias
0%
Sunk Cost Effect
0%
Optimism Bias
0%
Pessimism Bias
0%
Negativity Bias
0%
Self-Serving Bias
0%
Fundamental Attribution Error
0%
Actor-Observer Bias
0%
In-Group Bias
0%
Out-Group Homogeneity Bias
0%
Halo Effect
0%
Horn Effect
0%
Dunning-Kruger Effect
0%
Recency Bias
0%
Primacy Effect
0%
Blind-Spot Bias
0%
Ad Hominem
0%
Straw Man
0%
Appeal to Authority
0%
False Dilemma
0%
Slippery Slope
0%
Circular Reasoning
0%
Hasty Generalization
0%
Red Herring
0%
Bandwagon
0%
Appeal to Emotion
0%
Begging the Question
0%
Post Hoc (False Cause)
0%
Tu Quoque
0%
Burden of Proof
0%
Appeal to Nature
0%
Composition/Division
0%
Anecdotal
0%
No True Scotsman
0%
Ambiguity (Equivocation)
0%
Gambler’s Fallacy
0%
Middle Ground
0%
Personal Incredulity
0%
Special Pleading
0%
Genetic Fallacy
0%
Unattributed Quote
0%
Quote-first Misdirection
0%
Biased Writer Voice
0%
Indoctrination
13%
Politically Left Leaning Bias
0%
Politically Right Leaning Bias
0%
Attempt to Sell a Product or Service
4.2%

840 words analyzed.

Speakers

2speakers22%attributed speech656writer words
Voice mapSelect a segment to jump to its words
Selected voice

OpenClaw

64%flagged-word coverage
72 attributed words39% of attributed speech15% writer coverage
Indoctrination+54.3 pts
Writer 9.6%OpenClaw 64%
Attempt to Sell a Product or Service-5.3 pts
Writer 5.3%OpenClaw 0%

Attribution is sentence-level. Pattern percentages are calculated only from words assigned to that voice.

Analysis

Hover over highlighted words in the article to view the associated bias or fallacy analysis.