OpenClaw Flaws Let a WhatsApp Message Trigger Remote Code Execution
Three high-severity vulnerabilities in OpenClaw could allow a malicious WhatsApp message to trigger code execution on the system hosting the AI assistant.
Security researcher Chinmohan Nayak demonstrated the attack against OpenClaw 2026.6.1. However, exploitation requires a vulnerable configuration in which messages from a lower-trust source can reach powerful tools such as host command execution, Git operations or Docker sandbox mounts.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
OpenClaw fixed all three vulnerabilities in version 2026.6.6. Administrators using version 2026.6.1 or earlier should upgrade and review which messaging accounts can communicate with their agents.
How the WhatsApp attack reaches the OpenClaw host
OpenClaw is a self-hosted personal AI assistant that can connect language models to messaging platforms, files and local system tools. Its WhatsApp integration allows users to send instructions to an agent through a linked WhatsApp account.
Depending on its configuration, the agent may write files, run shell commands, clone repositories or manage development workflows. These capabilities make OpenClaw useful, but they can also create a path from an untrusted message to sensitive host operations.
Nayak showed that an attacker could disguise malicious instructions as a routine debugging request. The AI model could interpret the message as a legitimate task and invoke an affected OpenClaw tool without recognizing the senderโs hostile intent.
- An attacker sends a convincing technical request through WhatsApp.
- The OpenClaw agent processes the message as a normal instruction.
- The agent calls an enabled command, Git or sandbox tool.
- A vulnerable validation check fails to block the malicious input.
- Attacker-controlled code runs with the permissions available to OpenClaw.
The attack does not mean that any WhatsApp user can automatically compromise every OpenClaw installation. OpenClaw uses pairing for unknown direct-message senders by default, according to its WhatsApp channel documentation. Operators can also restrict access to approved phone numbers.
Three vulnerabilities expose different security boundaries
The attack chain involves three separate vulnerabilities affecting environment-variable filtering, Git command handling and Docker sandbox mounts.
OpenClaw maintainers rated two of the flaws at 8.8 on the CVSS scale. The third received a score of 8.4. All three advisories state that practical impact depends on the operatorโs configuration and whether lower-trust input can reach the vulnerable feature.
| Advisory | Security issue | CVSS score | Affected versions | Patched version |
|---|---|---|---|---|
| GHSA-hjr6-g723-hmfm | Interpreter startup environment-variable bypass | 8.8 | 2026.6.1 and earlier | 2026.6.6 |
| GHSA-9969-8g9h-rxwm | Git ext transport command execution | 8.8 | 2026.6.1 and earlier | 2026.6.6 |
| GHSA-575v-8hfq-m3mc | Sandbox bind-mount parent-directory bypass | 8.4 | 2026.6.1 and earlier | 2026.6.6 |
Environment-variable filtering could be bypassed
The first vulnerability, tracked as GHSA-hjr6-g723-hmfm, affected the way OpenClaw filtered environment variables before running commands on the host.
OpenClaw attempted to remove sensitive or dangerous variables, but the filter did not cover every interpreter startup option. Variables such as NODE_OPTIONS, BASH_ENV and PYTHONSTARTUP can cause an interpreter or shell to load attacker-controlled code before running the intended command.
The official OpenClaw advisory says a lower-trust caller could execute or persist actions beyond the authorization intended by the operator when the affected host execution feature was enabled and reachable.
Nayak demonstrated the issue using a WhatsApp message framed as a request to diagnose a Node.js memory problem. The malicious instructions used an interpreter startup variable to load code before the requested debugging command ran.
The flaw did not rely only on persuading the language model to write obviously malicious shell commands. Instead, it abused a trusted execution feature after the agent accepted a plausible technical task.
OpenClaw addressed the incomplete filtering in version 2026.6.6. The environment-variable advisory recommends disabling the feature when it is unnecessary and restricting it to trusted operators.
Git ext transport enabled another command-execution path
The second vulnerability, GHSA-9969-8g9h-rxwm, involved Gitโs ext transport helper. Git disables this transport in common configurations because it can start external commands rather than retrieve a repository through a normal network protocol.
An attacker could place a configuration option inside a Git clone request that re-enabled the ext transport. A prompt describing the command as part of a continuous integration or debugging task could convince the agent to run it.
According to the Git transport security advisory, lower-trust input could use the affected execution path to perform actions outside the callerโs intended authorization.
- The attacker presents the command as a normal repository or CI troubleshooting request.
- The agent creates a Git clone command using attacker-controlled arguments.
- A command-line option enables the Git ext transport.
- Git launches the attacker-supplied command on the OpenClaw host.
The vulnerability shows why command allowlists must inspect complete argument structures rather than approving a tool only because its executable name appears safe.

OpenClaw fixed the issue in version 2026.6.6. Its GHSA-9969-8g9h-rxwm notice also advises operators to keep channel and tool allowlists narrow.
Sandbox mount checks could expose sensitive host files
The third vulnerability affected bind mounts used by OpenClawโs Docker sandbox. Bind mounts allow a container to access a file or directory from the host system.
OpenClaw blocked direct mounts of sensitive locations such as SSH, AWS and GPG credential directories. However, the validation logic did not properly reject a parent directory containing one of those blocked paths.
As the sandbox bind-mount advisory explains, an attacker could request a broader path such as a home directory and indirectly expose protected subdirectories.
| Exposed location | Potential impact |
|---|---|
| User home directories | Access to SSH keys, configuration files and application secrets |
| AWS configuration directories | Possible exposure of cloud credentials and profiles |
| GPG directories | Possible access to encryption keys and trust databases |
| Docker socket | Potential container escape and control of the host Docker service |
Access to the Docker socket can be especially dangerous. A process controlling that socket may create privileged containers, mount host directories and gain broad control over the underlying system.
Version 2026.6.6 added stronger validation for parent directories. The OpenClaw sandbox advisory recommends upgrading and disabling the affected mount feature when operators do not need it.
The language model can mistake malicious prompts for legitimate work
The tests also highlighted a wider problem for tool-enabled AI agents. A language model may struggle to distinguish between a real developer request and an attacker presenting the same instructions with convincing context.
Nayak reportedly found that direct commands involving obvious download-and-execute behavior sometimes triggered model refusals. Similar payloads became more reliable when presented as ordinary debugging or CI troubleshooting tasks.
This behavior does not make the model itself a software vulnerability. The security failure occurs when a system treats the modelโs interpretation as sufficient authorization for a sensitive host action.
A report on Nayakโs research said the demonstrated attack could lead to credential theft, persistent access, host code execution and escape from the Docker sandbox.
Session behavior may also affect how agents respond. A model that rejected a suspicious instruction earlier in a conversation may treat later requests more cautiously, while a fresh session lacks that previous context.
The WhatsApp-to-host attack analysis stresses that the flaws required vulnerable features to be enabled and reachable from lower-trust messages.
How OpenClaw administrators can reduce the risk
Administrators should first update OpenClaw to version 2026.6.6 or a later supported release. Updating closes the three disclosed vulnerabilities, but operators should also reduce the authority available to agents connected to messaging platforms.
- Upgrade every OpenClaw instance running version 2026.6.1 or earlier.
- Remove host execution tools from agents that process untrusted messages.
- Enable sandboxing for sessions that do not require direct host access.
- Restrict WhatsApp direct messages to paired or allowlisted numbers.
- Avoid sharing one OpenClaw gateway between mutually untrusted users.
- Review logs for unusual Git commands, environment variables and bind mounts.
- Rotate credentials if an exposed agent could access sensitive host directories.
Operators should treat WhatsApp, Slack, Discord, Telegram and similar services as untrusted input channels unless every sender has been verified. A trusted messaging application does not make every message safe.

The safest configuration gives each agent only the tools and files needed for its task. High-risk capabilities such as shell execution, unrestricted file access and Docker control should remain unavailable to public or broadly accessible messaging sessions.
FAQ
No. The demonstrated attack requires a vulnerable OpenClaw version and a configuration that lets lower-trust WhatsApp messages reach affected execution, Git or sandbox features.
The three advisories list OpenClaw 2026.6.1 and earlier as affected. OpenClaw fixed the vulnerabilities in version 2026.6.6.
Depending on the configuration, attackers may execute commands, read sensitive files, steal credentials, create persistent access or escape from a Docker sandbox to the host system.
Administrators should update to version 2026.6.6 or later, restrict messaging access, remove unnecessary execution tools, enable sandboxing and rotate credentials when compromise may have occurred.
OpenClaw documents pairing as the default policy for unknown WhatsApp direct-message senders. Operators can strengthen access further by using an allowlist of approved phone numbers.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
User forum
0 messages