OpenClaw Local Command Injection Vulnerability in Windows Scheduled Task Script Generation
Vulnerability
A local command injection vulnerability has been identified in OpenClaw versions prior to 2026.2.19. This issue arises in the Windows scheduled task script generation, where cmd metacharacters can be injected into unsafe gateway.cmd arguments. Attackers with control over the service script generation values can exploit this vulnerability to execute arbitrary commands in the context of the scheduled task.
Impact
Exploitation of this vulnerability allows for arbitrary command execution in the context of the scheduled task.
Reproduction
The vulnerability can be reproduced by injecting cmd metacharacters into the environment variables or command-line arguments used during the service script generation. This can be done by creating a scheduled task that includes these injected characters, which will then be executed as part of the task's command.
Remediation
Users can update to OpenClaw version 2026.2.19 or later, where this vulnerability has been patched.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.