← All stories
● Covered by 1 source Β· 1 reportHigh impact

WhatsApp-to-Host Attack Chain Exploits Three Vulnerabilities in OpenClaw

Aggregated by BrevFeed security Β· updated 23h ago
πŸ”– Save

Three patched vulnerabilities in OpenClaw could enable attacks via WhatsApp, leading to credential theft and arbitrary code execution. Security researcher Chinmohan Nayak detailed these vulnerabilities, which don't require prior access for exploitation, raising concerns about configuration and security practices.

Key points

Vulnerabilities Overview

The vulnerabilities affecting OpenClaw are significant due to their ability to allow credential theft, privilege escalation, and arbitrary code execution.

The identified issues are GHSA-hjr6-g723-hmfm and GHSA-9969-8g9h-rxwm, both with a CVSS score of 8.8, and GHSA-575v-8hfq-m3mc with a CVSS score of 8.4.

Details of the Vulnerabilities

The first two vulnerabilities involve operating system command injections that could impact the host execution environment, allowing unauthorized actions.

The third vulnerability allows path traversal, enabling sandbox bind mounts to bypass security mechanisms meant to protect sensitive directories.

Research Findings

Chinmohan Nayak, who discovered these issues, explained they enable host code execution triggered by an external message via WhatsApp.

These vulnerabilities do not require an attacker to gain initial access, making them particularly concerning.

Configuration Implications

OpenClaw maintainers indicated the practical impact of these vulnerabilities depends on the operator's configuration.

Security settings that allow lower-trust input to affect critical paths can increase the risk of exploitation.

Importance of Patching

OpenClaw has addressed these vulnerabilities in version 2026.6.6, highlighting the necessity for timely updates and patches in software security.

Organizations using OpenClaw should ensure they are on the latest version to mitigate these risks.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors β€” check the original sources. How BrevFeed works β†’

Primary sources

GitHub jgamblin/OpenClawCVEs GitHub openclaw/openclaw arXiv 2603.27517 CVE CVE-2026-552008.1 HIGH CVE CVE-2026-468179.8 CRITICAL

Reporting from

Three patched vulnerabilities in OpenClaw could enable attacks via WhatsApp, leading to credential theft and arbitrary code execution. Security researcher Chinmohan Nayak detailed these vulnerabilities, which don't require prior access for exploitation, raising concerns about configuration and security practices.