OnePlus 6 has bootloader flaw that allows aribtrary or modified images to boot even when locked
The OnePlus 6 bootloader has a flaw
To take advantage of the vulnerability, a hacker needs to not only have physical access to your OnePlus 6, he also has to have your phone hooked up with a PC. From there, it is a simple matter of restarting the handset in Fastboot and loading the modified image. Android Police was able to install the TWRP recovery on a OnePlus 6 even with the bootloader locked. This could allow some ne'er do well to give themselves root access to your device and have his/her way with the handset.
If you're like many of us and you worry about sharing your phone with anyone (including family members) for fear that it will end up with a cracked screen on the floor, drenched from a swim in the toilet, or melted on the stove, you probably shouldn't worry about this too much. After all, this group of smartphone owners usually have their phones on them 24/7, or at least always know where they are at all times.
OnePlus has issued a statement today, stating that it plans on talking to Mr. Donenfeld and promising to issue a software update.
"We take security seriously at OnePlus. We are in contact with the security researcher, and a software update will be rolling out shortly."-OnePlus
source: XDA
Things that are NOT allowed: