Full Report
Details have emerged about three now-patched security flaws in the OpenClaw personal artificial intelligence (AI) assistant that, if successfully exploited, could enable credential theft, privilege escalation, and arbitrary code execution on the host. A brief description of the high-severity vulnerabilities is as follows - GHSA-hjr6-g723-hmfm (CVSS score: 8.8) - An operating system
Analysis Summary
This summary deconstructs the security advisories related to the OpenClaw personal AI assistant as reported in the provided article.
# Vulnerability: Multiple Flaws in OpenClaw AI Assistant
## CVE Details
- **CVE ID:** GHSA-hjr6-g723-hmfm / GHSA-9969-8g9h-rxwm / GHSA-575v-8hfq-m3mc
- **CVSS Score:** 8.8 (High) for Command Injection; 8.4 (High) for Path Traversal
- **CWE:** CWE-78 (OS Command Injection), CWE-22 (Path Traversal), CWE-59 (Link Following)
## Affected Systems
- **Products:** OpenClaw Personal AI Assistant
- **Versions:** All versions prior to 2026.6.6
- **Configurations:** Systems where the AI assistant has access to host execution environments or where "bind mounts" are utilized for sandboxing. Impact is higher when channel-facing agents (e.g., messaging integrations) are active.
## Vulnerability Description
The vulnerabilities consist of two primary classes of flaws:
1. **Command Injection (GHSA-hjr6-g723-hmfm & GHSA-9969-8g9h-rxwm):** These stem from an incomplete list of disallowed inputs in the filtering mechanism for the host execution environment. Attackers can bypass filters to execute arbitrary OS commands beyond the intended scope.
2. **Path Traversal/Sandbox Escape (GHSA-575v-8hfq-m3mc):** The `getBlockedReasonForSourcePath()` function fails to check if a blocked path resides under a requested source path (parent directory bypass). While specific sensitive directories like `~/.ssh` are blocked, an attacker can mount a parent directory (like `/home` or `/var`), thereby gaining access to all subdirectories and sensitive files, including Docker sockets and SSH keys.
## Exploitation
- **Status:** PoC described by researchers; reported as potentially triggerable via external messages (e.g., WhatsApp).
- **Complexity:** Low to Medium (depends on the specific agent configuration).
- **Attack Vector:** Network (Remote).
## Impact
- **Confidentiality:** High (Access to SSH keys, AWS credentials, and GPG secrets).
- **Integrity:** High (Arbitrary code execution and potential for persistent backdoors).
- **Availability:** High (Potential for full host takeover via Docker socket escape).
## Remediation
### Patches
- **Update to OpenClaw version 2026.6.6** or later immediately.
### Workarounds
- **Restrict Features:** Limit affected features to trusted operators only or disable them entirely if not needed.
- **Enable Sandbox Mode:** Enforce sandbox mode for all non-main sessions.
- **Narrow Allowlists:** Reduce the items in the "tool allowlist" for channel-facing agents; specifically, remove the `exec` tool.
- **Gateway Separation:** Avoid sharing a single Gateway between mutually untrusted users.
## Detection
- **Command Monitoring:** Scan logs for `git clone` commands containing the `ext::` external protocol helper.
- **Mount Auditing:** Monitor for unusual bind mount requests targeting parent directories like `/home`, `/var`, or `/root`.
- **Input Validation:** Implement monitoring for high-risk strings in messaging inputs that target system execution functions.
## References
- **Vendor Advisory (GHSA-hjr6-g723-hmfm):** hxxps://github[.]com/openclaw/openclaw/security/advisories/GHSA-hjr6-g723-hmfm
- **Vendor Advisory (GHSA-9969-8g9h-rxwm):** hxxps://github[.]com/openclaw/openclaw/security/advisories/GHSA-9969-8g9h-rxwm
- **Vendor Advisory (GHSA-575v-8hfq-m3mc):** hxxps://github[.]com/openclaw/openclaw/security/advisories/GHSA-575v-8hfq-m3mc
- **Researcher Repository:** hxxps://github[.]com/jgamblin/OpenClawCVEs/