The Hacker News22%
Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws 5%
By The Hacker News37%
7/12/2026, 1:11:41 PM
BS Summary: This article contains 2 faulty reasoning types, including Attempt to Sell a Product or Service, with Indoctrination as the most egregious example at 13% saturation with 109 hits. Analysis detected 144 faulty-reasoning hits from 840 analyzed words, generating a BS Score of 21% and a BS Rank of 5% (14,296 of 15,051 articles). This article is better (less manipulative) than 95.00% of the article peer group.
Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws
Ravie Lakshmanan Jul 10, 2026 AI Security / Vulnerability
Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host.
A brief description of the high-severity vulnerabilities is as follows -
GHSA-hjr6-g723-hmfm (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization.
GHSA-9969-8g9h-rxwm (CVSS score: 8.8) - An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller's intended authorization.
GHSA-575v-8hfq-m3mc (CVSS score: 8.4) - A path traversal and link following vulnerability that could allow sandbox bind mounts to bypass parent-directory denylist checks and perform actions that should have been secured with stronger authorization or policy checks.
All three shortcomings have been addressed in OpenClaw version 2026.6.6.
In a series of advisories released last week, OpenClaw maintainers said "practical impact depends on the operator's configuration and whether lower-trust input can reach that path."
However, security researcher Chinmohan Nayak, who is credited with discovering and reporting the issues, said in a report shared with The Hacker News that they can be used to trigger host code execution from an external message sent via WhatsApp.
Unlike the Claw Chain vulnerabilities disclosed by Cyera back in May, the newly identified bugs do not require an attacker to establish a prior foothold in order to extract sensitive data, drop a persistent backdoor, obtain arbitrary remote code execution, and facilitate an escape to the host.
"`getBlockedReasonForSourcePath()` checks if the source path is under a blocked path," the researcher explained about GHSA-575v-8hfq-m3mc.
"But [it] never checks the reverse — whether a blocked path is under the source (parent directory bypass)."
Specifically, the bind mount denylist blocks directories like "~/.ssh," "~/.aws," and "~/.gnupg,” but allows mounting the parent directory "/home" or "/var," effectively undermining the individual blocks.
"Mount /home into your container, and you can read every user's SSH keys, AWS credentials, and GPG secrets," Nayak said.
"Mount /var and you get the Docker socket – which means full host escape from inside the 'sandbox.'"
Besides updating OpenClaw to the latest version, it's advised to enable sandbox mode for all non-main sessions, remove "exec" from the tool allowlist for channel-facing agents, and monitor for git clone commands containing the "ext::" external protocol helper that could be abused to run arbitrary system commands.
"Before upgrading, restrict the affected feature to trusted operators or disable it when it is not needed," OpenClaw said.
"As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed."
Found this article interesting?
Follow us on Google News , Twitter and LinkedIn to read more exclusive content we post.
AI Security , Application Security , Code Execution , Container Security , Messaging Security , Open Source , privilege escalation , Sandbox Escape , Vulnerability
16-Year-Old Linux KVM Flaw Lets Guest VMs Escape to Host on Intel and AMD x86 Systems
BeyondTrust Patches Critical Auth Bypass Flaws in Remote Support and PRA
Court Filing Reveals Windows Device ID Helped FBI Trace Alleged Scattered Spider Hacker
Rogue Agent Flaw Could Have Let Attackers Hijack Google Dialogflow CX Chatbots
RedWing MaaS Packages Android Bank Fraud as a Telegram Rental Service
15-Year-Old GhostLock Flaw Enables Root and Container Escape on Most Linux Distros
GitHub Copilot Refuses Harmful Requests in Chat, Then Writes Them in Code
New HalluSquatting Attack Could Trick AI Coding Assistants Into Installing Botnet Malware
GhostApproval Symlink Flaws Could Let Malicious Repos Run Code in AI Coding Agents
Top AI Agents Built to Catch Malicious Code Can Be Tricked Into Running It
Meta's New AI Image Tool Lets Others Use Your Public Instagram Photos in AI Images
ThreatsDay: Cloud Bucket Hijacking, Windows LPE Chain, Global Fraud Bust + 17 More Stories
Dormant GitHub Accounts Help Attackers Blend In While Mapping Corporate Orgs
Attackers Exploit 'Ill Bloom' Vulnerability to Drain Over $5 Million From Cryptocurrency Wallets
Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers
New TrojPix Attack Leaks Data From Air-Gapped Systems via Video Cable Emissions
Unpatched Flaws Disclosed in Filesystem Bundled Into Millions of Embedded Devices
New "Bad Epoll" Linux Kernel Flaw Lets Unprivileged Users Gain Root, Hits Android
Google Disrupts NetNut Residential Proxy Network Spanning 2 Million Home Devices
European Parliament Member Investigating Spyware Was Hacked With Pegasus
⭐ Featured Resources
What 200+ Security Teams Reveal About Using IP Intelligence in 2026
Get Hands-On SANS Training for Today’s Cyber Defense and Offensive Security Challenges
See What’s Really Exposed Across Your IT, OT, IoT, Cloud, and Mobile Assets
Get Gartner’s Guide to AI Agent Supervision and Runtime Controls
Speakers
2speakers22%attributed speech656writer words
Voice mapSelect a segment to jump to its words
Selected voice
64%flagged-word coverageOpenClaw
72 attributed words39% of attributed speech15% writer coverage
Indoctrination+54.3 pts
Writer 9.6%OpenClaw 64%
Attempt to Sell a Product or Service-5.3 pts
Writer 5.3%OpenClaw 0%
Attribution is sentence-level. Pattern percentages are calculated only from words assigned to that voice.
Analysis
Hover over highlighted words in the article to view the associated bias or fallacy analysis.