"Mount /home into your container, and you can read every user's SSH keys, AWS credentials, and GPG secrets," Chinmohan Nayak said, bluntly summarizing the practical consequence of one of three recently patched flaws in the OpenClaw personal AI assistant.
The three vulnerabilities: GHSA-hjr6-g723-hmfm, GHSA-9969-8g9h-rxwm and GHSA-575v-8hfq-m3mc
OpenClaw maintainers and the researcher who reported the issues disclosed three high-severity bugs, all addressed in OpenClaw version 2026.6.6. Two of the flaws—GHSA-hjr6-g723-hmfm and GHSA-9969-8g9h-rxwm—carry CVSS scores of 8.8 and are described as operating system command injection issues caused by an incomplete list of disallowed inputs in the host execution environment filtering mechanism. Both could allow an actor to execute commands or persist actions beyond the caller's intended authorization.
The third flaw, GHSA-575v-8hfq-m3mc (CVSS 8.4), is a path traversal and link-following weakness. According to the researcher, the implementation of the bind-mount denylist fails to check whether a blocked path sits under the source path (a "parent directory bypass"). The denylist blocks directories such as "~/.ssh," "~/.aws," and "~/.gnupg," but permits mounting parent directories like "/home" or "/var," which undermines the intended restrictions.
Chinmohan Nayak's WhatsApp-to-host attack chain
In a report shared with The Hacker News, researcher Chinmohan Nayak said the three bugs can be used to trigger host code execution from an external message sent via WhatsApp. Nayak described how these issues could be chained to read sensitive material and reach the host: mounting /home exposes users' SSH keys, AWS credentials and GPG secrets; mounting /var exposes the Docker socket—“which means full host escape from inside the 'sandbox,'” the researcher wrote.
The report contrasts these flaws with the earlier Claw Chain disclosures from Cyera in May. Unlike that prior set, Nayak noted, the newly identified bugs "do not require an attacker to establish a prior foothold" in order to extract sensitive data, drop a persistent backdoor, obtain arbitrary remote code execution, and facilitate a host escape.
OpenClaw maintainers' guidance and the 2026.6.6 patch
All three shortcomings have been addressed in OpenClaw version 2026.6.6. The maintainers cautioned that the "practical impact depends on the operator's configuration and whether lower-trust input can reach that path." Their advisory includes both immediate and general hardening guidance.
They advised operators to restrict the affected feature to trusted operators or disable it when it is not needed prior to upgrading. Their broader hardening recommendations include keeping channel and tool allowlists narrow and avoiding sharing a single Gateway between mutually untrusted users.
Operational mitigations: sandbox mode, tool allowlists, and monitoring 'ext::' usage
Beyond installing the patch, Nayak and the maintainers recommended configuration changes to limit exposure. Specific, actionable measures listed in the advisories are:
- Enable sandbox mode for all non-main sessions to reduce the chance that lower-trust input can reach sensitive host paths.
- Remove "exec" from the tool allowlist for channel-facing agents to limit the surface for command injection.
- Monitor for git clone commands that use the "ext::" external protocol helper, which can be abused to run arbitrary system commands.
What this means for technologists, procurement leaders, and end users
- Technologists and security teams: Upgrade to OpenClaw 2026.6.6 and apply the suggested configuration hardening—enable sandbox mode for non-main sessions, remove "exec" from channel-facing tool allowlists, and instrument logs to detect git "ext::" usage.
- Procurement and operations leaders: Consider Gateway-sharing practices and restrict affected features to trusted operators before upgrading; keep channel and tool allowlists narrow to reduce blast radius.
- End users and administrators: Be aware that, according to the researcher, an external WhatsApp message can—under vulnerable configurations—trigger host code execution; prioritize vendor patches and follow the maintainers' guidance about disabling features when not required.
The technical record in this case is direct: three high-severity OpenClaw flaws, now patched in 2026.6.6, can be chained—per the researcher—to move from an external WhatsApp message to host-level code execution when operator configurations allow lower-trust inputs to reach sensitive paths. The immediate, concrete next step is straightforward and verifiable: install the 2026.6.6 update and apply the maintainers' configuration guidance to narrow the avenues an attacker could exploit.




