Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
OpenClaw Windows Task Scheduler Script May Execute Malicious Code
GHSA-pj5x-38rw-6fph
Summary
OpenClaw's Windows Scheduled Task script generation has a security flaw that allows malicious code to be injected into the task. This could happen if someone with access to the configuration provides special characters in the environment variables. If you're using OpenClaw, make sure to update to version 2026.2.19 or later to fix this issue.
What to do
- Update openclaw to version 2026.2.19.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.17 | 2026.2.19 |
Original title
OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation
Original description
### Summary
A command injection vulnerability existed in Windows Scheduled Task script generation for OpenClaw. Environment values were written into `gateway.cmd` using unquoted `set KEY=VALUE`, which allowed Windows shell metacharacters in config-provided environment variables to break out of assignment context.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.17`
- Patched version: `>= 2026.2.19`
- Latest published vulnerable version at review time (2026-02-19): `2026.2.17`
### Practical Risk Context
For a single-user, localhost-only setup on a personally controlled machine, practical risk is typically low.
This issue becomes materially relevant when configuration or environment values are sourced from less-trusted inputs, for example:
- shared/team config templates,
- copied config snippets,
- setup scripts, automation, or repos that write config,
- any workflow where another party can influence env values before `gateway install`/reinstall.
In those scenarios, it provides a reliable config-to-command-execution path when the scheduled task script is generated and run.
### Details
On Windows, gateway service installation writes a helper batch script and then registers it via Scheduled Task (`schtasks`).
Before the fix, env lines were rendered as `set KEY=VALUE` in `src/daemon/schtasks.ts`, so values containing metacharacters (for example `&`, `|`, `^`, `%`, `!`) could alter command behavior in `cmd.exe`.
The fix now renders quoted assignments (`set "KEY=VALUE"`) with explicit escaping for cmd metacharacters, updates parser compatibility for quoted assignments, and adds regression tests for metacharacter handling and round-trip parsing.
### Fix Commit(s)
- `dafe52e8cf1a041d898cfb304a485fa05e5f58fb`
OpenClaw thanks @tdjackey for reporting.
A command injection vulnerability existed in Windows Scheduled Task script generation for OpenClaw. Environment values were written into `gateway.cmd` using unquoted `set KEY=VALUE`, which allowed Windows shell metacharacters in config-provided environment variables to break out of assignment context.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.17`
- Patched version: `>= 2026.2.19`
- Latest published vulnerable version at review time (2026-02-19): `2026.2.17`
### Practical Risk Context
For a single-user, localhost-only setup on a personally controlled machine, practical risk is typically low.
This issue becomes materially relevant when configuration or environment values are sourced from less-trusted inputs, for example:
- shared/team config templates,
- copied config snippets,
- setup scripts, automation, or repos that write config,
- any workflow where another party can influence env values before `gateway install`/reinstall.
In those scenarios, it provides a reliable config-to-command-execution path when the scheduled task script is generated and run.
### Details
On Windows, gateway service installation writes a helper batch script and then registers it via Scheduled Task (`schtasks`).
Before the fix, env lines were rendered as `set KEY=VALUE` in `src/daemon/schtasks.ts`, so values containing metacharacters (for example `&`, `|`, `^`, `%`, `!`) could alter command behavior in `cmd.exe`.
The fix now renders quoted assignments (`set "KEY=VALUE"`) with explicit escaping for cmd metacharacters, updates parser compatibility for quoted assignments, and adds regression tests for metacharacter handling and round-trip parsing.
### Fix Commit(s)
- `dafe52e8cf1a041d898cfb304a485fa05e5f58fb`
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS4.0
7.1
Vulnerability type
CWE-78
OS Command Injection
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026