Three Critical Vulnerabilities in OpenClaw AI Assistant Patched
OpenClaw, the popular personal artificial intelligence (AI) assistant, has patched three high-severity security flaws that could have enabled credential theft, privilege escalation, and arbitrary code execution on the host system. The vulnerabilities, now fixed in OpenClaw version 2026.6.6, were disclosed by security researcher Chinmohan Nayak and could be exploited via external messages sent through WhatsApp.
Details of the Vulnerabilities
-
GHSA-hjr6-g723-hmfm and GHSA-9969-8g9h-rxwm (CVSS score: 8.8)
- Both vulnerabilities involve operating system command injection and incomplete list of disallowed inputs, impacting the host execution environment filtering mechanism. These flaws could allow attackers to execute or persist actions beyond the caller's intended authorization.
-
GHSA-575v-8hfq-m3mc (CVSS score: 8.4)
- This vulnerability is a path traversal and link-following issue that could allow sandbox bind mounts to bypass parent-directory denylist checks. This could enable actions that should have been secured with stronger authorization or policy checks.
Researcher's Findings
Chinmohan Nayak, the researcher who discovered and reported the vulnerabilities, noted that these flaws could be exploited to trigger host code execution from an external message sent via WhatsApp. Unlike previous vulnerabilities disclosed in May, these bugs do not require an attacker to establish a prior foothold to extract sensitive data, drop a persistent backdoor, or achieve arbitrary remote code execution and host escape.
Technical Explanation
The getBlockedReasonForSourcePath() function was found to lack checks for whether a blocked path is under the source, allowing a parent directory bypass. For instance, while directories like ~/.ssh, ~/.aws, and ~/.gnupg are blocked, mounting the parent directory /home or /var could expose sensitive data. This could lead to full host escape from inside the sandbox.
Mitigation Recommendations
OpenClaw has advised users to update to the latest version (2026.6.6) and take additional precautions:
- Enable sandbox mode for all non-main sessions.
- Remove
execfrom the tool allowlist for channel-facing agents. - Monitor for suspicious
git clonecommands containing theext::protocol helper. - Restrict affected features to trusted operators or disable them when not needed.
Conclusion
The patching of these vulnerabilities is critical for users of OpenClaw AI assistant to prevent potential exploitation. By following OpenClaw's recommendations and updating to the latest version, users can mitigate the risk of credential theft, privilege escalation, and arbitrary code execution.