News

Three Critical Vulnerabilities in OpenClaw AI Assistant Patched

OpenClaw AI assistant patched three high-severity flaws enabling credential theft, privilege escalation, and arbitrary code execution.

OpenClaw addressed three critical vulnerabilities in its AI assistant, which could have allowed attackers to execute malicious actions via WhatsApp messages. The flaws included command injection, path traversal, and incomplete filtering mechanisms.

Three Critical Vulnerabilities in OpenClaw AI Assistant Patched

OpenClaw, the popular personal artificial intelligence (AI) assistant, has patched three high-severity security flaws that could have enabled credential theft, privilege escalation, and arbitrary code execution on the host system. The vulnerabilities, now fixed in OpenClaw version 2026.6.6, were disclosed by security researcher Chinmohan Nayak and could be exploited via external messages sent through WhatsApp.

Details of the Vulnerabilities

  1. GHSA-hjr6-g723-hmfm and GHSA-9969-8g9h-rxwm (CVSS score: 8.8)

    • Both vulnerabilities involve operating system command injection and incomplete list of disallowed inputs, impacting the host execution environment filtering mechanism. These flaws could allow attackers to execute or persist actions beyond the caller's intended authorization.
  2. GHSA-575v-8hfq-m3mc (CVSS score: 8.4)

    • This vulnerability is a path traversal and link-following issue that could allow sandbox bind mounts to bypass parent-directory denylist checks. This could enable actions that should have been secured with stronger authorization or policy checks.

Researcher's Findings

Chinmohan Nayak, the researcher who discovered and reported the vulnerabilities, noted that these flaws could be exploited to trigger host code execution from an external message sent via WhatsApp. Unlike previous vulnerabilities disclosed in May, these bugs do not require an attacker to establish a prior foothold to extract sensitive data, drop a persistent backdoor, or achieve arbitrary remote code execution and host escape.

Technical Explanation

The getBlockedReasonForSourcePath() function was found to lack checks for whether a blocked path is under the source, allowing a parent directory bypass. For instance, while directories like ~/.ssh, ~/.aws, and ~/.gnupg are blocked, mounting the parent directory /home or /var could expose sensitive data. This could lead to full host escape from inside the sandbox.

Mitigation Recommendations

OpenClaw has advised users to update to the latest version (2026.6.6) and take additional precautions:

  • Enable sandbox mode for all non-main sessions.
  • Remove exec from the tool allowlist for channel-facing agents.
  • Monitor for suspicious git clone commands containing the ext:: protocol helper.
  • Restrict affected features to trusted operators or disable them when not needed.

Conclusion

The patching of these vulnerabilities is critical for users of OpenClaw AI assistant to prevent potential exploitation. By following OpenClaw's recommendations and updating to the latest version, users can mitigate the risk of credential theft, privilege escalation, and arbitrary code execution.