Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

The Hacker News by The Hacker News
July 10, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananJul 10, 2026AI Security / Vulnerability

Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host.

A brief description of the high-severity vulnerabilities is as follows –

  • GHSA-hjr6-g723-hmfm (CVSS score: 8.8) – An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller’s intended authorization.
  • GHSA-9969-8g9h-rxwm (CVSS score: 8.8) – An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller’s intended authorization.
  • GHSA-575v-8hfq-m3mc (CVSS score: 8.4) – A path traversal and link following vulnerability that could allow sandbox bind mounts to bypass parent-directory denylist checks and perform actions that should have been secured with stronger authorization or policy checks.

All three shortcomings have been addressed in OpenClaw version 2026.6.6.

In a series of advisories released last week, OpenClaw maintainers said “practical impact depends on the operator’s configuration and whether lower-trust input can reach that path.”

However, security researcher Chinmohan Nayak, who is credited with discovering and reporting the issues, said in a report shared with The Hacker News that they can be used to trigger host code execution from an external message sent via WhatsApp.

Unlike the Claw Chain vulnerabilities disclosed by Cyera back in May, the newly identified bugs do not require an attacker to establish a prior foothold in order to extract sensitive data, drop a persistent backdoor, obtain arbitrary remote code execution, and facilitate an escape to the host.

“`getBlockedReasonForSourcePath()` checks if the source path is under a blocked path,” the researcher explained about GHSA-575v-8hfq-m3mc. “But [it] never checks the reverse — whether a blocked path is under the source (parent directory bypass).”

Specifically, the bind mount denylist blocks directories like “~/.ssh,” “~/.aws,” and “~/.gnupg,” but allows mounting the parent directory “/home” or “/var,” effectively undermining the individual blocks.

“Mount /home into your container, and you can read every user’s SSH keys, AWS credentials, and GPG secrets,” Nayak said. “Mount /var and you get the Docker socket – which means full host escape from inside the ‘sandbox.'”

Besides updating OpenClaw to the latest version, it’s advised to enable sandbox mode for all non-main sessions, remove “exec” from the tool allowlist for channel-facing agents, and monitor for git clone commands containing the “ext::” external protocol helper that could be abused to run arbitrary system commands.

“Before upgrading, restrict the affected feature to trusted operators or disable it when it is not needed,” OpenClaw said. “As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.”



Source link

The Hacker News

The Hacker News

Next Post
Laser Attack Resets Tangem Wallet Passwords on Cards That Can’t Be Patched

Laser Attack Resets Tangem Wallet Passwords on Cards That Can't Be Patched

Recommended.

Dahua Technology veröffentlicht ESG-Bericht 2024: Wegweisende nachhaltige Innovation für eine intelligentere, grünere Zukunft

Dahua Technology veröffentlicht ESG-Bericht 2024: Wegweisende nachhaltige Innovation für eine intelligentere, grünere Zukunft

April 3, 2025
Blue Mantis Expands Into Full-Scale MSSP With Launch Of Mantis Protect Service

Blue Mantis Expands Into Full-Scale MSSP With Launch Of Mantis Protect Service

September 10, 2025

Trending.

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

Cloud Market Share Q1 2026: AWS, Microsoft, Google Battling In AI Era

May 4, 2026
AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

AWS Vs. Google Cloud Vs. Microsoft Azure Q1 Earnings Face-Off

May 1, 2026
AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

AWS Solution Provider Caylent Unveils Dedicated Anthropic Claude Unit

April 30, 2026
Google’s 0 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

Google’s $750 Million Partner Fund Targets AI Agent Era Channel Paradigm Shift

April 24, 2026
This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

This Scammer Used an AI-Generated MAGA Girl to Grift ‘Super Dumb’ Men

April 21, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio