Three high-severity flaws in the open-source AI coding assistant OpenClaw can be chained so that a single WhatsApp message leads to credential theft, privilege escalation, arbitrary code execution, and escape from the tool's Docker-based sandbox to the host. Researcher Chinmohan Nayak showed that attacker-crafted prompts disguised as normal debugging requests could exploit unsafe handling of untrusted input in OpenClaw 2026.6.1, including an environment-variable filter bypass, command execution via Git's ext:: transport helper, and a parent-directory bypass in sandbox bind mounts.
The sandbox bypass could expose sensitive material such as SSH keys, AWS credentials, GPG secrets, and even the Docker socket, enabling broader compromise without any prior foothold on the target system. The issues are tracked as GHSA-hjr6-g723-hmfm, GHSA-9969-8g9h-rxwm, and GHSA-575v-8hfq-m3mc, and were fixed in OpenClaw 2026.6.6; users were urged to upgrade, enable sandbox mode for non-main sessions, restrict exec in tool allowlists, watch for malicious git clone activity involving the ext:: protocol, limit direct-message pairing from untrusted numbers, and rotate credentials if exposure is suspected.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
2 events from the most recent confirmed update back to the earliest known activity.
The three disclosed vulnerabilities, tracked as GHSA-hjr6-g723-hmfm, GHSA-9969-8g9h-rxwm, and GHSA-575v-8hfq-m3mc, were fixed in OpenClaw version 2026.6.6. OpenClaw advised users to upgrade and apply mitigations such as enabling sandbox mode for non-main sessions and restricting exec in tool allowlists.
Researcher Chinmohan Nayak detailed three high-severity vulnerabilities in OpenClaw that can be chained from a single WhatsApp message to achieve credential theft, privilege escalation, arbitrary code execution, and host escape. The issues affect OpenClaw 2026.6.1 and include an environment variable filter bypass, Git ext:: transport command execution, and a sandbox parent-directory bypass.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
3 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcethehackernews.com
Open sourcemedium.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.