EUVD-2026-14553
GHSA-pv5j-hvrw-38j6
CVSS Vector
CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4Description
OpenClaw versions prior to 2026.2.18 contain a command injection vulnerability in Windows Scheduled Task script generation where environment variables are written unquoted to gateway.cmd, allowing shell metacharacters to break out of assignment context. Attackers can inject arbitrary commands through config-provided environment variables when the scheduled task script is generated and executed.
Analysis
OpenClaw, an open-source game engine component, contains a command injection vulnerability in its Windows Scheduled Task script generation mechanism. Versions prior to 2026.2.18 write environment variables unquoted to gateway.cmd files, allowing attackers to inject shell metacharacters that break out of assignment context and execute arbitrary commands when the scheduled task runs. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all systems running OpenClaw versions prior to 2026.2.18 and assess exposure in production environments. Within 7 days: Apply vendor patch 2026.2.18 or later to all affected systems, prioritizing production and critical infrastructure. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today