Security researcher Chinmohan Nayak has detailed a WhatsApp-to-host attack chain leveraging three now-patched vulnerabilities in the OpenClaw personal AI assistant. The flaws, if exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host system.
The vulnerabilities include two OS command injection issues (GHSA-hjr6-g723-hmfm and GHSA-9969-8g9h-rxwm, both CVSS 8.8) and a path traversal flaw (GHSA-575v-8hfq-m3mc, CVSS 8.4). The path traversal bug allows sandbox bind mounts to bypass parent-directory denylist checks, potentially exposing sensitive directories like ~/.ssh, ~/.aws, and ~/.gnupg. By mounting /home or /var, an attacker could read SSH keys, AWS credentials, GPG secrets, or the Docker socket for full host escape.
All three issues were addressed in OpenClaw version 2026.6.6. Nayak demonstrated that an external WhatsApp message could trigger host code execution without requiring prior foothold, unlike the earlier Claw Chain vulnerabilities. Mitigations include enabling sandbox mode, removing ‘exec’ from tool allowlists, and monitoring for git clone commands with the ‘ext::’ protocol helper.
CVEs: CVE-2026-55200, CVE-2026-46817
Attack groups: Mustang Panda, Turla
Malware: BlueHammer Ransomware, RustDuck Botnet
Companies: OpenClaw, Cyera, Microsoft, Oracle, Apple, Google, Amazon, OpenAI, FBI, SANS
Products: OpenClaw, WhatsApp, Chrome, Linux Kernel, Amazon Q Developer, GPT-5.6 Sol, Signal, libssh2, Edge, Zoho WorkDrive, Oracle E-Business Suite, AirDrop
Certifications: GCIH
Training: SANS SEC504
Events: SANS Virginia Beach
Original source: thehackernews.com