Find notable cyber news and cases, enriched with sources, timelines, and signals.

OpenClaw command-injection, path-traversal, and link-following flaws (multiple vulnerabilities)

Vulnerability
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

OpenClaw now has three patched high-severity vulnerabilities that can lead to credential theft, privilege escalation, and arbitrary code execution on the host. The set includes two command-injection flaws and one path traversal/link-following bug, with fixes in version 2026.6.6. A researcher said the issues can be triggered from an external WhatsApp message when lower-trust input reaches the affected paths.

Related Happenings

OpenClaw message-object prompt injection patched in 2026.4.23 security flaw

Vulnerability
H score15 First: 11.06.2026 20:46 Last: 11.06.2026 20:46 Sources 1

About this happening: **OpenClaw** has a patched **message-object prompt injection flaw** that let hidden instructions inside **shared contacts, vCards, and location pins** reach the LLM as trusted pro...

OpenClaw/OpenShell managed sandbox backend Claw Chain (multiple vulnerabilities)

Vulnerability
H score31 First: 15.05.2026 16:35 Last: 15.05.2026 16:35 Sources 1

About this happening: Researchers disclosed **four OpenClaw flaws** in the **OpenShell managed sandbox backend** that can be chained for **data theft**, **privilege escalation**, and **persistence**. T...

OpenClaw ClawJacked localhost WebSocket brute-force security flaw

Vulnerability
H score37 First: 01.03.2026 23:44 Last: 01.03.2026 23:44 Sources 1

About this happening: **OpenClaw**’s **ClawJacked** vulnerability allowed a **malicious website** to brute-force a **localhost WebSocket** connection and take control of a local instance, putting **ses...

OpenClaw Control UI crafted-link RCE (CVE-2026-25253)

Vulnerability
H score32 First: 02.02.2026 18:28 Last: 02.02.2026 18:28 Sources 1

About this happening: **OpenClaw** **CVE-2026-25253** is a high-severity **1-click RCE** flaw that can expose **gateway tokens** and enable **full gateway compromise** on impacted instances. The weakne...

N8n form-based workflow file-read flaw (CVE-2026-21858)

Vulnerability
H score68 First: 07.01.2026 15:48 Last: 07.01.2026 15:48 Sources 1

About this happening: **n8n** disclosed **CVE-2026-21858** (**CVSS 10.0**), a **maximum-severity** **Content-Type confusion** flaw in **form-based workflows** that can let an **unauthenticated remote a...

Timeline

  1. 10.07.2026 17:19 2 articles · 1h ago

    OpenClaw flaws enable host code execution and credential theft

    Initial Disclosure

    OpenClaw maintainers said three now-patched flaws in OpenClaw version 2026.6.6 include GHSA-hjr6-g723-hmfm, GHSA-9969-8g9h-rxwm, and GHSA-575v-8hfq-m3mc, with two command-injection issues and one path-traversal/link-following bug that can enable credential theft, privilege escalation, arbitrary code execution, and host escape when lower-trust input reaches the affected paths. Chinmohan Nayak said the issues can be triggered from an external WhatsApp message.

    Show sources