Close Menu
    What's Hot

    Opinion | Why Democrats Are Tripping All Over Themselves

    Trump Administration Fires Members of Independent Election Group

    Trump Says He Won’t Sign Housing Bill, in Protest Over Stalled Voting Measure

    Facebook X (Twitter) Instagram
    Trending
    • Opinion | Why Democrats Are Tripping All Over Themselves
    • Trump Administration Fires Members of Independent Election Group
    • Trump Says He Won’t Sign Housing Bill, in Protest Over Stalled Voting Measure
    • Opinion | This Is a Lot More Worrying Than the Supreme Court’s Ruling on Executive Power
    • Two Days of U.S. Strikes in Iran Signal a Sharp Escalation
    • Volkswagen Is Cutting Production as Sales in China Plunge
    • How Volkswagen’s Troubles Were Made in China
    • Shein wins Chinese approval for long-awaited IPO
    interluknewsinterluknews
    • Home
    • Business
      • Corporate News
      • Industry Insights
      • Startups & Entrepreneurship
      • Technology & Innovation
    • Economy
      • Economic Policy
      • Financial Analysis
      • Inflation & Interest Rates
      • Trade & Markets
    • Global
      • Conflicts & Security
      • Diplomacy
      • Global Trends
      • International Affairs
    • Lifestyle
      • Fashion
      • Food & Dining
      • Personal Development
      • Travel
    • Opinion
      • Columns
      • Editorials
      • Expert Opinions
      • Reader Voices
    • More
      • Politics
        • Elections
        • Government & Policy
        • International Relations
        • Political Analysis
      • Sports
        • Cricket
        • Football / Soccer
        • International Sports
        • Local Sports
      • Technology
        • Artificial Intelligence
        • Cybersecurity
        • Gadgets & Reviews
        • Tech News
      • South Africa News
    Facebook X (Twitter) Instagram
    interluknewsinterluknews
    Cybersecurity

    Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

    adminBy adminJuly 10, 2026No Comments3 Mins Read
    Share Facebook Twitter Pinterest Copy Link Telegram LinkedIn Tumblr Email
    Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws
    Share
    Facebook Twitter LinkedIn Pinterest Email

    Ravie LakshmananJul 10, 2026AI Security / Vulnerability

    Researcher Details WhatsApp-to-Host Attack Chain Using Three OpenClaw Flaws

    Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host.

    A brief description of the high-severity vulnerabilities is as follows –

    • GHSA-hjr6-g723-hmfm (CVSS score: 8.8) – An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller’s intended authorization.
    • GHSA-9969-8g9h-rxwm (CVSS score: 8.8) – An operating system command injection and an incomplete list of disallowed inputs vulnerability impacting the host execution environment filtering mechanism that could allow for executing or persist actions beyond the caller’s intended authorization.
    • GHSA-575v-8hfq-m3mc (CVSS score: 8.4) – A path traversal and link following vulnerability that could allow sandbox bind mounts to bypass parent-directory denylist checks and perform actions that should have been secured with stronger authorization or policy checks.

    All three shortcomings have been addressed in OpenClaw version 2026.6.6.

    In a series of advisories released last week, OpenClaw maintainers said “practical impact depends on the operator’s configuration and whether lower-trust input can reach that path.”

    However, security researcher Chinmohan Nayak, who is credited with discovering and reporting the issues, said in a report shared with The Hacker News that they can be used to trigger host code execution from an external message sent via WhatsApp.

    Unlike the Claw Chain vulnerabilities disclosed by Cyera back in May, the newly identified bugs do not require an attacker to establish a prior foothold in order to extract sensitive data, drop a persistent backdoor, obtain arbitrary remote code execution, and facilitate an escape to the host.

    “`getBlockedReasonForSourcePath()` checks if the source path is under a blocked path,” the researcher explained about GHSA-575v-8hfq-m3mc. “But [it] never checks the reverse — whether a blocked path is under the source (parent directory bypass).”

    Cybersecurity

    Specifically, the bind mount denylist blocks directories like “~/.ssh,” “~/.aws,” and “~/.gnupg,” but allows mounting the parent directory “/home” or “/var,” effectively undermining the individual blocks.

    “Mount /home into your container, and you can read every user’s SSH keys, AWS credentials, and GPG secrets,” Nayak said. “Mount /var and you get the Docker socket – which means full host escape from inside the ‘sandbox.'”

    Besides updating OpenClaw to the latest version, it’s advised to enable sandbox mode for all non-main sessions, remove “exec” from the tool allowlist for channel-facing agents, and monitor for git clone commands containing the “ext::” external protocol helper that could be abused to run arbitrary system commands.

    “Before upgrading, restrict the affected feature to trusted operators or disable it when it is not needed,” OpenClaw said. “As general hardening, keep channel and tool allowlists narrow, avoid sharing one Gateway between mutually untrusted users, and disable the affected feature when it is not needed.”

    attack Chain Details Flaws OpenClaw researcher WhatsApptoHost
    Follow on Google News Follow on Flipboard
    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
    Previous ArticleNew Google Wallet Opt-In Takes Hassle Out of TSA PreCheck…
    Next Article Liverpool latest: Michael Edwards leaves as chief executive officer of football for Fenway Sports Group | Football News
    admin
    • Website

    Related Posts

    Ukrainian court detains alleged killers of Monaco bomb attack suspect | Crime News

    July 10, 2026

    Unpatched XRING Flaw in XQUIC Lets Remote Clients Crash HTTP/3 Servers

    July 10, 2026

    Attackers Exploit ‘Ill Bloom’ Vulnerability to Drain $3.1 Million From Cryptocurrency Wallets

    July 10, 2026
    Leave A Reply Cancel Reply

    Demo
    Latest Posts

    Opinion | Why Democrats Are Tripping All Over Themselves

    Trump Administration Fires Members of Independent Election Group

    Trump Says He Won’t Sign Housing Bill, in Protest Over Stalled Voting Measure

    Opinion | This Is a Lot More Worrying Than the Supreme Court’s Ruling on Executive Power

    Latest Posts

    Subscribe to News

    Get the latest sports news from NewsSite about world, sports and politics.

    Advertisement
    Demo

    We are a digital news platform delivering timely, accurate, and insightful coverage of politics, global affairs, business, economy, sports, and more. Our mission is to keep readers informed with reliable news, clear analysis, and stories that truly matter.
    We're social. Connect with us:

    Facebook X (Twitter) Instagram Pinterest YouTube

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Type above and press Enter to search. Press Esc to cancel.

    Powered by
    ...
    ►
    Necessary cookies enable essential site features like secure log-ins and consent preference adjustments. They do not store personal data.
    None
    ►
    Functional cookies support features like content sharing on social media, collecting feedback, and enabling third-party tools.
    None
    ►
    Analytical cookies track visitor interactions, providing insights on metrics like visitor count, bounce rate, and traffic sources.
    None
    ►
    Advertisement cookies deliver personalized ads based on your previous visits and analyze the effectiveness of ad campaigns.
    None
    ►
    Unclassified cookies are cookies that we are in the process of classifying, together with the providers of individual cookies.
    None
    Powered by