AntiMalwareJuly 13, 2026🇷🇺Translated from Russian

OpenClaw AI Assistant Compromised via WhatsApp: Three Critical Vulnerabilities Allowed Credential Theft, Sandbox Escape, and Arbitrary Code Execution on Host

Security researchers have disclosed three serious vulnerabilities in OpenClaw that could allow attackers to steal credentials, escalate privileges, and execute arbitrary code on systems running the AI assistant. The flaws affected both home users and corporate deployments, highlighting risks associated with insufficient input validation and sandbox isolation in AI tooling.

Command Filtering Failures (CVSS 8.8)

Two of the vulnerabilities received a CVSS score of 8.8. They were caused by incomplete command filtering mechanisms that did not block all malicious inputs. As a result, an attacker could inject system commands into contexts where they should have been prohibited, enabling unauthorized actions ranging from data exfiltration to privilege escalation.

Sandbox Bypass via Directory Mounting (CVSS 8.4)

The third vulnerability, rated 8.4, allowed attackers to circumvent sandbox restrictions by mounting parent directories. Although OpenClaw blocked direct access to sensitive folders such as ~/.ssh, ~/.aws, and ~/.gnupg, it could still permit mounting of the entire /home directory. This effectively placed SSH keys, cloud tokens, and GPG secrets directly accessible to the attacker.

Further escalation was possible through the /var directory, which could grant access to the Docker socket and enable escape from the sandbox directly onto the host system. Researcher Chinmohan Nayak demonstrated that the attack could be initiated remotely via an external message sent through WhatsApp (owned by Meta, designated as extremist and banned in Russia) without requiring any prior foothold on the target machine.

Impact and Recommendations

In the worst-case scenario, an attacker could exfiltrate sensitive data, establish persistence, and execute arbitrary code on the victim’s machine. Developers addressed all three issues in OpenClaw 2026.6.6. Users are strongly advised to:

  • Update to the latest version immediately
  • Enable sandboxing for all secondary sessions
  • Remove exec from the list of allowed tools
  • Narrow the list of trusted communication channels to the minimum necessary

These measures significantly reduce the attack surface and help prevent similar exploitation attempts in the future.