EUVD-2026-13027
GHSA-mqr9-vqhq-3jxw
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Lifecycle Timeline
4Description
OpenClaw versions prior to 2026.2.19 contain a local command injection vulnerability in Windows scheduled task script generation due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script generation arguments can inject arbitrary commands by providing metacharacter-only values or CR/LF sequences that execute unintended code in the scheduled task context.
Analysis
OpenClaw contains a local command injection vulnerability in Windows scheduled task script generation that allows authenticated local attackers to inject arbitrary commands through unsafe handling of cmd metacharacters and CR/LF sequences in gateway.cmd files. OpenClaw versions prior to 2026.2.19 are affected. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all systems running OpenClaw versions prior to 2026.2.19 and assess which have local user access. Within 7 days: Apply vendor patch to version 2026.2.19 or later across all affected systems, prioritizing production environments and systems with sensitive scheduled tasks. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today