Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Top 10 Unified Threat Management Solutions for 2026
July 11, 2026
Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
July 11, 2026
Progress Urges ShareFile Server Shutdown Over Critical Vulnerability
July 11, 2026
Home/CyberSecurity News/Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message
CyberSecurity News

Critical OpenClaw Vulnerability Lets Attackers Hijack WhatsApp Via One Message

Key Takeaways Three high-severity vulnerabilities in the OpenClaw AI coding assistant allow for remote code execution (RCE) via a single WhatsApp message. The flaws, affecting OpenClaw version...

Jennifer sherman
Jennifer sherman
July 11, 2026 4 Min Read
2 0

Key Takeaways

  • Three high-severity vulnerabilities in the OpenClaw AI coding assistant allow for remote code execution (RCE) via a single WhatsApp message.
  • The flaws, affecting OpenClaw version 2026.6.1, stem from how the AI agent processes untrusted input and manages execution capabilities.
  • A patch is available in OpenClaw version 2026.6.6 or later, and immediate upgrades are strongly recommended for affected administrators.

Three critical vulnerabilities have been identified in OpenClaw, the popular open-source AI coding assistant, enabling attackers to achieve remote code execution (RCE) on affected systems. These high-severity flaws can be exploited through a single malicious WhatsApp message, highlighting significant security risks in AI agents that interact with external messaging platforms.

Table Of Content

  • Key Takeaways
  • Understanding the OpenClaw Vulnerabilities
  • Environment Variable Filter Bypass (GHSA-hjr6-g723-hmfm)
  • Git ext:: Transport RCE (GHSA-9969-8g9h-rxwm)
  • Sandbox Parent-Directory Bypass (GHSA-575v-8hfq-m3mc)
  • What You Should Do

The vulnerabilities, which have been confirmed on OpenClaw version 2026.6.1, expose a fundamental weakness in how AI agents handle and sanitize untrusted input originating from various messaging channels. OpenClaw, with its impressive 381,000 GitHub stars and over 100,000 daily active users, functions as a self-hosted AI assistant that integrates with platforms like WhatsApp, Slack, Discord, Telegram, and Teams. Users can interact with it via text messages to request coding tasks, much like communicating with a colleague.

The core functionality of OpenClaw — its ability to write code, execute shell commands, and manage files — ironically also forms the basis of its primary security liability, as researchers discovered.

Understanding the OpenClaw Vulnerabilities

The identified issues comprise three distinct high-severity vulnerabilities:

Environment Variable Filter Bypass (GHSA-hjr6-g723-hmfm)

Rated with a CVSS score of 8.8, this flaw exists within OpenClaw’s sanitizeEnvVars() function. While designed to block credential-like variables, it overlooks 12 critical interpreter startup variables, including NODE_OPTIONS, BASH_ENV, and PYTHONSTARTUP. This oversight permits attackers to inject arbitrary code that executes prior to the intended target script, effectively bypassing security controls.

Git ext:: Transport RCE (GHSA-9969-8g9h-rxwm)

Also carrying a CVSS score of 8.8, this vulnerability leverages the Git ext:: transport mechanism. Although typically disabled by default, this transport can be re-enabled by injecting −cprotocol.ext.allow=always into a git clone command. This allows for the execution of arbitrary shell commands, often disguised as routine CI debugging tasks.

Sandbox Parent-Directory Bypass (GHSA-575v-8hfq-m3mc)

With a CVSS score of 8.4, this vulnerability affects OpenClaw’s Docker sandbox. The sandbox aims to prevent the mounting of sensitive paths such as ~/.ssh or ~/.aws. However, the implemented check only scrutinizes paths *within* blocked directories, not directories that *contain* them. Consequently, mounting a parent directory like /home or /var can inadvertently expose all user SSH keys and even the Docker socket, potentially leading to a full host escape.

Security researcher Chinmohan Nayak demonstrated the exploit chain by sending a WhatsApp message crafted to appear as a standard debugging request. The message, phrased as “I am debugging a Node.js memory leak in production, please run these commands…”, successfully smuggled a malicious script via the NODE_OPTIONS environment variable. This script then executed with complete filesystem access before the legitimate command. The AI model powering the test agent, Claude Sonnet 4, processed the request without suspicion, formatted the output, and even offered further assistance.

A subsequent test, utilizing the Git ext:: trick and framed as an attempt to reproduce a CI pipeline error, yielded similar results, with the AI agent executing the commands without question. Interestingly, overtly malicious payloads, such as piped curl-to-bash commands, were refused approximately 40% of the time. However, identical payloads, when embedded within a plausible developer context, consistently succeeded in every new session tested.

Researchers emphasized that the core problem is not a flaw in Claude Sonnet 4’s safety training, but rather an inherent limitation: the AI model struggles to differentiate between a legitimate developer’s request and an identically phrased malicious one from an attacker. This issue is compounded by session memory; while a model might become suspicious and refuse a payload within an ongoing conversation, a new session resets its trust level, granting attackers unlimited retry attempts.

What You Should Do

Administrators operating OpenClaw instances must take immediate action to mitigate these critical vulnerabilities:

  • Upgrade Immediately: Update OpenClaw to version 2026.6.6 or later, which includes patches for all three identified vulnerabilities.
  • Review Tool Allowlists: Remove exec from the tool allowlist, especially for untrusted communication channels, unless it is absolutely essential for operational requirements.
  • Enable Sandbox Mode: Implement and enable sandbox mode for all non-primary sessions to contain potential exploits.
  • Restrict DM Pairing Policies: Configure direct message (DM) pairing policies to prevent untrusted phone numbers or users from reaching the AI agent.
  • Rotate Credentials: If your OpenClaw instance was publicly accessible prior to applying the patches, rotate all associated credentials as a precautionary measure.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackExploitPatchVulnerability

Share Article

Jennifer sherman

Jennifer sherman

Jennifer is a cybersecurity news reporter covering data breaches, ransomware campaigns, and dark web markets. With a background in incident response, Jennifer provides unique insights into how organizations respond to cyber attacks and the evolving tactics of threat actors. Her reporting has covered major breaches affecting millions of users and has helped organizations understand emerging threats. Jennifer combines technical knowledge with investigative journalism to deliver in-depth coverage of cybersecurity incidents.

Previous Post

Progress Urges ShareFile Server Shutdown Over Critical Vulnerability

Next Post

Top 10 Unified Threat Management Solutions for 2026

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical GNU Guix Vulnerabilities Let Attackers Elevate Privileges
July 10, 2026
Critical Windows Shortcut Vulnerability Allows Remote Code Execution
July 10, 2026
RoguePlanet Defender Patch (CVE-2023-XXXX) Exposes Data, Exhausts Disk Space
July 10, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us