Three critical security vulnerabilities have been discovered and patched in the OpenClaw personal artificial intelligence (AI) assistant. These flaws, rated as high-severity, could have allowed attackers to steal credentials, escalate their privileges, and even execute arbitrary code on the host system. The patches are now available in OpenClaw version 2026.6.6.
The vulnerabilities, tracked as GHSA-hjr6-g723-hmfm, GHSA-9969-8g9h-rxwm, and GHSA-575v-8hfq-m3mc, were identified by security researcher Chinmohan Nayak. While OpenClaw maintainers stated that the practical impact depends on the operator’s configuration, Nayak has demonstrated that they can be exploited through external messages, such as those sent via WhatsApp, to trigger host code execution.
OpenClaw Security Flaws and Their Implications
The most severe of the vulnerabilities, GHSA-hjr6-g723-hmfm and GHSA-9969-8g9h-rxwm, both carry a CVSS score of 8.8. These are described as operating system command injection flaws stemming from an incomplete list of disallowed inputs within the mechanism designed to filter access to the host execution environment. Successful exploitation of these particular OpenClaw security flaws could permit an attacker to execute commands or establish persistent actions beyond the authorization granted to the user or process attempting the action.
A separate vulnerability, GHSA-575v-8hfq-m3mc, with a CVSS score of 8.4, involves a path traversal and link following issue. This could allow attackers to circumvent directory restrictions through sandbox bind mounts. The vulnerability exploits a flaw where the system checks if a source path is under a blocked directory, but not the reverse – whether a blocked directory is under the source path. This failure in authorization or policy checks could lead to unauthorized operations.
Exploitation Pathways and Potential Damage
Security researcher Chinmohan Nayak detailed how these vulnerabilities could be weaponized. For the path traversal flaw (GHSA-575v-8hfq-m3mc), Nayak explained that while the `getBlockedReasonForSourcePath()` function checks if a source path is within a disallowed directory, it fails to verify if a disallowed directory is itself a parent of the source. This means that if a bind mount is performed on a parent directory while individual sub-directories are blocked, the blocks can be rendered ineffective.
For instance, bind mounts could be configured to allow access to directories like “~/.ssh,” “~/.aws,” and “~/.gnupg” by mounting their parent directories, such as “/home” or “/var.” Nayak stated that mounting “/home” could grant access to sensitive user data, including SSH keys, AWS credentials, and GPG secrets. Furthermore, mounting “/var” could expose the Docker socket, potentially enabling a full host escape from within the supposedly sandboxed environment.
This differs from previous Claw Chain vulnerabilities, where attackers typically needed an initial foothold. These newly identified bugs offer a more direct path for attackers to exfiltrate sensitive data, deploy persistent backdoors, achieve arbitrary remote code execution, and gain unauthorized access to the host system. The implications for users and organizations relying on OpenClaw for AI-assisted tasks are significant.
Mitigation Strategies and Future Outlook
OpenClaw maintainers recommend several measures to mitigate these risks beyond simply updating to version 2026.6.6. It is advised to enable sandbox mode for all non-main sessions. Additionally, security teams should remove “exec” from the tool allowlist for channel-facing agents. Monitoring for Git clone commands that include the “ext::” external protocol helper is also crucial, as this can be exploited to execute arbitrary system commands.
Before applying updates, OpenClaw advises restricting the affected feature to trusted operators or disabling it entirely if it is not in use. Broader security hardening recommendations include maintaining narrow channel and tool allowlists, avoiding shared Gateways between users with differing trust levels, and disabling vulnerable features when they are not required. The ongoing focus on AI security highlights the need for continuous vigilance and proactive patching of emerging vulnerabilities in AI systems.

