Vulnerability-Lookup

CVE-2026-32063 (GCVE-0-2026-32063)

Vulnerability from cvelistv5 – Published: 2026-03-11 13:32 – Updated: 2026-03-11 14:35

Title

OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation

Summary

OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives. An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user.

Severity ?

6.9 (Medium)


                        
                          CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

7.1 (High)


                        
                          CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H

CWE

CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')

Assigner

VulnCheck

References

URL

Tags

	https://github.com/openclaw/openclaw/security/adv…	vendor-advisory
	https://github.com/openclaw/openclaw/commit/61f64…	patch
	https://www.vulncheck.com/advisories/openclaw-com…	third-party-advisory

Impacted products

	Vendor	Product	Version
	openclaw	openclaw	Affected: 2026.2.19-2 , < 2026.2.21 (semver) Unaffected: 2026.2.21

Date Public ?

2026-02-21 00:00

Credits

@tdjackey

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-32063",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-03-11T14:35:33.498252Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-03-11T14:35:38.033Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "packageURL": "pkg:npm/openclaw",
          "product": "openclaw",
          "vendor": "openclaw",
          "versions": [
            {
              "lessThan": "2026.2.21",
              "status": "affected",
              "version": "2026.2.19-2",
              "versionType": "semver"
            },
            {
              "status": "unaffected",
              "version": "2026.2.21"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*",
                  "versionEndExcluding": "2026.2.21",
                  "versionStartIncluding": "0",
                  "vulnerable": true
                },
                {
                  "criteria": "cpe:2.3:a:openclaw:openclaw:2026.2.21:*:*:*:*:*:*:*",
                  "vulnerable": false
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "@tdjackey"
        }
      ],
      "datePublic": "2026-02-21T00:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "value": "OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives. An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "LOCAL",
            "baseScore": 6.9,
            "baseSeverity": "MEDIUM",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "NONE",
            "subConfidentialityImpact": "NONE",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "NONE",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS"
        },
        {
          "cvssV3_1": {
            "attackComplexity": "LOW",
            "attackVector": "LOCAL",
            "availabilityImpact": "HIGH",
            "baseScore": 7.1,
            "baseSeverity": "HIGH",
            "confidentialityImpact": "NONE",
            "integrityImpact": "HIGH",
            "privilegesRequired": "LOW",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
            "version": "3.1"
          },
          "format": "CVSS"
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-03-11T13:32:36.727Z",
        "orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
        "shortName": "VulnCheck"
      },
      "references": [
        {
          "name": "GitHub Security Advisory (GHSA-vffc-f7r7-rx2w)",
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w"
        },
        {
          "name": "Patch Commit",
          "tags": [
            "patch"
          ],
          "url": "https://github.com/openclaw/openclaw/commit/61f646c41fb43cd87ed48f9125b4718a30d38e84"
        },
        {
          "name": "VulnCheck Advisory: OpenClaw 2026.2.19-2 \u003c 2026.2.21 - Command Injection via Newline in systemd Unit Generation",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://www.vulncheck.com/advisories/openclaw-command-injection-via-newline-in-systemd-unit-generation"
        }
      ],
      "title": "OpenClaw 2026.2.19-2 \u003c 2026.2.21 - Command Injection via Newline in systemd Unit Generation",
      "x_generator": {
        "engine": "vulncheck"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
    "assignerShortName": "VulnCheck",
    "cveId": "CVE-2026-32063",
    "datePublished": "2026-03-11T13:32:36.727Z",
    "dateReserved": "2026-03-10T19:52:03.795Z",
    "dateUpdated": "2026-03-11T14:35:38.033Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-32063\",\"sourceIdentifier\":\"disclosure@vulncheck.com\",\"published\":\"2026-03-11T14:16:28.580\",\"lastModified\":\"2026-03-16T17:52:56.700\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives. An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user.\"},{\"lang\":\"es\",\"value\":\"La versi\u00f3n 2026.2.19-2 de OpenClaw anterior a la 2026.2.21 contiene una vulnerabilidad de inyecci\u00f3n de comandos en la generaci\u00f3n de archivos de unidad de systemd, donde los valores de entorno controlados por el atacante no se validan en busca de caracteres CR/LF, lo que permite la inyecci\u00f3n de nuevas l\u00edneas para escapar de las l\u00edneas Environment= e inyectar directivas arbitrarias de systemd. Un atacante que puede influir en config.env.vars y activar la instalaci\u00f3n o el reinicio del servicio puede ejecutar comandos arbitrarios con los privilegios del usuario del servicio de pasarela de OpenClaw.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":6.9,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"NONE\",\"vulnIntegrityImpact\":\"HIGH\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"NONE\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"NONE\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\",\"baseScore\":7.1,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.2},{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"disclosure@vulncheck.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-77\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*\",\"versionEndExcluding\":\"2026.2.21\",\"matchCriteriaId\":\"09CAA52D-0C33-41B4-854A-338CBFC45513\"}]}]}],\"references\":[{\"url\":\"https://github.com/openclaw/openclaw/commit/61f646c41fb43cd87ed48f9125b4718a30d38e84\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]},{\"url\":\"https://www.vulncheck.com/advisories/openclaw-command-injection-via-newline-in-systemd-unit-generation\",\"source\":\"disclosure@vulncheck.com\",\"tags\":[\"Broken Link\"]},{\"url\":\"https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Vendor Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-32063\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-11T14:35:33.498252Z\"}}}], \"references\": [{\"url\": \"https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-11T14:35:28.131Z\"}}], \"cna\": {\"title\": \"OpenClaw 2026.2.19-2 \u003c 2026.2.21 - Command Injection via Newline in systemd Unit Generation\", \"credits\": [{\"lang\": \"en\", \"type\": \"reporter\", \"value\": \"@tdjackey\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 6.9, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"HIGH\", \"subAvailabilityImpact\": \"NONE\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"NONE\", \"vulnConfidentialityImpact\": \"NONE\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}}, {\"format\": \"CVSS\", \"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.1, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"openclaw\", \"product\": \"openclaw\", \"versions\": [{\"status\": \"affected\", \"version\": \"2026.2.19-2\", \"lessThan\": \"2026.2.21\", \"versionType\": \"semver\"}, {\"status\": \"unaffected\", \"version\": \"2026.2.21\"}], \"packageURL\": \"pkg:npm/openclaw\", \"defaultStatus\": \"unaffected\"}], \"datePublic\": \"2026-02-21T00:00:00.000Z\", \"references\": [{\"url\": \"https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w\", \"name\": \"GitHub Security Advisory (GHSA-vffc-f7r7-rx2w)\", \"tags\": [\"vendor-advisory\"]}, {\"url\": \"https://github.com/openclaw/openclaw/commit/61f646c41fb43cd87ed48f9125b4718a30d38e84\", \"name\": \"Patch Commit\", \"tags\": [\"patch\"]}, {\"url\": \"https://www.vulncheck.com/advisories/openclaw-command-injection-via-newline-in-systemd-unit-generation\", \"name\": \"VulnCheck Advisory: OpenClaw 2026.2.19-2 \u003c 2026.2.21 - Command Injection via Newline in systemd Unit Generation\", \"tags\": [\"third-party-advisory\"]}], \"x_generator\": {\"engine\": \"vulncheck\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives. An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-77\", \"description\": \"Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*\", \"vulnerable\": true, \"versionEndExcluding\": \"2026.2.21\", \"versionStartIncluding\": \"0\"}, {\"criteria\": \"cpe:2.3:a:openclaw:openclaw:2026.2.21:*:*:*:*:*:*:*\", \"vulnerable\": false}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"shortName\": \"VulnCheck\", \"dateUpdated\": \"2026-03-11T13:32:36.727Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-32063\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-11T14:35:38.033Z\", \"dateReserved\": \"2026-03-10T19:52:03.795Z\", \"assignerOrgId\": \"83251b91-4cc7-4094-a5c7-464a1b83ea10\", \"datePublished\": \"2026-03-11T13:32:36.727Z\", \"assignerShortName\": \"VulnCheck\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

GHSA-VFFC-F7R7-RX2W

Vulnerability from github – Published: 2026-03-03 21:52 – Updated: 2026-03-16 21:51

Summary

OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux)

Details

Summary

A command injection vulnerability exists in OpenClaw’s Linux systemd unit generation path. When rendering Environment= entries, attacker-controlled values are not rejected for CR/LF, and systemdEscapeArg() uses an incorrect whitespace-matching regex. This allows newline injection to break out of an Environment= line and inject standalone systemd directives (for example, ExecStartPre=). On service restart, the injected command is executed, resulting in local arbitrary command execution (local RCE) under the gateway service user.

Details

The issue is in src/daemon/systemd-unit.ts:

renderEnvLines(...) builds:
Environment=${systemdEscapeArg(${key}=${value})}
No CR/LF validation is enforced for environment keys/values before writing unit lines.
systemdEscapeArg(...) uses:
/[\\s"\\\\]/
In this regex, \\s is interpreted as a literal backslash + s, not a whitespace character class. As a result, whitespace detection/quoting behavior is incorrect. Because systemd parses unit files line-by-line, a newline inside an environment value can inject an additional directive line. Example rendered output:

Environment=INJECT=ok
ExecStartPre=/bin/touch /tmp/oc15789_rce

At restart time, systemd executes ExecStartPre, enabling command execution.

Relevant code path/components involved in exploitation chain: - src/daemon/systemd-unit.ts - src/commands/daemon-install-helpers.ts - src/config/env-vars.ts - src/config/zod-schema.ts

Trigger conditions: 1. Attacker can influence config.env.vars (directly or indirectly). 2. Install/reinstall path is invoked to write/update the unit. 3. Service restart occurs (systemctl --user restart ...).

PoC

Environment: Linux host with systemd user services enabled.

Configure a malicious environment value in OpenClaw config (config.env.vars), including a newline and injected directive:
Key: INJECT
Value:

ok
ExecStartPre=/bin/touch /tmp/oc15789_rce

Install/reinstall the gateway service (fixed port as requested):

openclaw gateway install --port 15789 --force

Inspect the generated user unit file (default path):

~/.config/systemd/user/openclaw-gateway.service

Verify that an injected standalone line exists:

ExecStartPre=/bin/touch /tmp/oc15789_rce

Reload and restart user service:

systemctl --user daemon-reload

systemctl --user restart openclaw-gateway.service

Confirm command execution side effect:

ls -l /tmp/oc15789_rce

Impact

This is a local command execution vulnerability in OpenClaw’s systemd unit generation during install/reinstall flows.

Type: Command injection via newline/directive injection in unit file generation.
Execution context: Runs with the same privileges as the OpenClaw gateway service user.
Affected users: Linux deployments using systemd user services where an attacker can control config.env.vars and trigger install/reinstall.

Fix Commit(s)

61f646c41fb43cd87ed48f9125b4718a30d38e84

Severity ?

8.6 (High)


                  
                    CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2026.2.19-2"
      },
      "package": {
        "ecosystem": "npm",
        "name": "openclaw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2026.2.21"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-32063"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-77"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-03T21:52:54Z",
    "nvd_published_at": "2026-03-11T14:16:28Z",
    "severity": "HIGH"
  },
  "details": "### Summary\nA command injection vulnerability exists in OpenClaw\u2019s Linux systemd unit generation path.\nWhen rendering `Environment=` entries, attacker-controlled values are not rejected for CR/LF, and `systemdEscapeArg()` uses an incorrect whitespace-matching regex. This allows newline injection to break out of an `Environment=` line and inject standalone systemd directives (for example, `ExecStartPre=`). On service restart, the injected command is executed, resulting in local arbitrary command execution (local RCE) under the gateway service user.\n\n---\n\n### Details\nThe issue is in `src/daemon/systemd-unit.ts`:\n\n- `renderEnvLines(...)` builds:\n- `Environment=${systemdEscapeArg(`${key}=${value}`)}`\n- No CR/LF validation is enforced for environment keys/values before writing unit lines.\n- `systemdEscapeArg(...)` uses:\n- `/[\\\\s\"\\\\\\\\]/`\n- In this regex, `\\\\s` is interpreted as a literal backslash + `s`, not a whitespace character class.\nAs a result, whitespace detection/quoting behavior is incorrect.\nBecause systemd parses unit files line-by-line, a newline inside an environment value can inject an additional directive line. Example rendered output:\n\n```ini\nEnvironment=INJECT=ok\nExecStartPre=/bin/touch /tmp/oc15789_rce\n```\n\nAt restart time, systemd executes `ExecStartPre`, enabling command execution.\n\nRelevant code path/components involved in exploitation chain:\n- `src/daemon/systemd-unit.ts`\n- `src/commands/daemon-install-helpers.ts`\n- `src/config/env-vars.ts`\n- `src/config/zod-schema.ts`\n\nTrigger conditions:\n1. Attacker can influence `config.env.vars` (directly or indirectly).\n2. Install/reinstall path is invoked to write/update the unit.\n3. Service restart occurs (`systemctl --user restart ...`).\n\n---\n\n### PoC\nEnvironment: Linux host with systemd user services enabled.\n\n1. Configure a malicious environment value in OpenClaw config (`config.env.vars`), including a newline and injected directive:\n- Key: `INJECT`\n- Value:\n```text\nok\nExecStartPre=/bin/touch /tmp/oc15789_rce\n```\n\n2. Install/reinstall the gateway service (fixed port as requested):\n```bash\nopenclaw gateway install --port 15789 --force\n```\n\n3. Inspect the generated user unit file (default path):\n```bash\n~/.config/systemd/user/openclaw-gateway.service\n```\nVerify that an injected standalone line exists:\n```ini\nExecStartPre=/bin/touch /tmp/oc15789_rce\n```\n\n4. Reload and restart user service:\n```bash\nsystemctl --user daemon-reload\n```\n```bash\nsystemctl --user restart openclaw-gateway.service\n```\n\n5. Confirm command execution side effect:\n```bash\nls -l /tmp/oc15789_rce\n```\n---\n\n### Impact\nThis is a local command execution vulnerability in OpenClaw\u2019s systemd unit generation during install/reinstall flows.\n\n- **Type:** Command injection via newline/directive injection in unit file generation.\n- **Execution context:** Runs with the same privileges as the OpenClaw gateway service user.\n- **Affected users:** Linux deployments using systemd user services where an attacker can control `config.env.vars` and trigger install/reinstall.\n\n## Fix Commit(s)\n- `61f646c41fb43cd87ed48f9125b4718a30d38e84`",
  "id": "GHSA-vffc-f7r7-rx2w",
  "modified": "2026-03-16T21:51:52Z",
  "published": "2026-03-03T21:52:54Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32063"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openclaw/openclaw/commit/61f646c41fb43cd87ed48f9125b4718a30d38e84"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/openclaw/openclaw"
    },
    {
      "type": "WEB",
      "url": "https://www.vulncheck.com/advisories/openclaw-command-injection-via-newline-in-systemd-unit-generation"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux)"
}

FKIE_CVE-2026-32063

Vulnerability from fkie_nvd - Published: 2026-03-11 14:16 - Updated: 2026-03-16 17:52

Severity ?

7.1 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
7.8 (High) - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Summary

References

URL	Tags
disclosure@vulncheck.com	https://github.com/openclaw/openclaw/commit/61f646c41fb43cd87ed48f9125b4718a30d38e84	Patch
disclosure@vulncheck.com	https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w	Exploit, Vendor Advisory
disclosure@vulncheck.com	https://www.vulncheck.com/advisories/openclaw-command-injection-via-newline-in-systemd-unit-generation	Broken Link
134c704f-9b21-4f2e-91b3-4a467353bcc0	https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w	Exploit, Vendor Advisory

Impacted products

	Vendor	Product	Version
	openclaw	openclaw	*

JSON

To clipboard

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*",
              "matchCriteriaId": "09CAA52D-0C33-41B4-854A-338CBFC45513",
              "versionEndExcluding": "2026.2.21",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives. An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user."
    },
    {
      "lang": "es",
      "value": "La versi\u00f3n 2026.2.19-2 de OpenClaw anterior a la 2026.2.21 contiene una vulnerabilidad de inyecci\u00f3n de comandos en la generaci\u00f3n de archivos de unidad de systemd, donde los valores de entorno controlados por el atacante no se validan en busca de caracteres CR/LF, lo que permite la inyecci\u00f3n de nuevas l\u00edneas para escapar de las l\u00edneas Environment= e inyectar directivas arbitrarias de systemd. Un atacante que puede influir en config.env.vars y activar la instalaci\u00f3n o el reinicio del servicio puede ejecutar comandos arbitrarios con los privilegios del usuario del servicio de pasarela de OpenClaw."
    }
  ],
  "id": "CVE-2026-32063",
  "lastModified": "2026-03-16T17:52:56.700",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.1,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "NONE",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.2,
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      },
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "LOCAL",
          "availabilityImpact": "HIGH",
          "baseScore": 7.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "LOW",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 1.8,
        "impactScore": 5.9,
        "source": "nvd@nist.gov",
        "type": "Primary"
      }
    ],
    "cvssMetricV40": [
      {
        "cvssData": {
          "Automatable": "NOT_DEFINED",
          "Recovery": "NOT_DEFINED",
          "Safety": "NOT_DEFINED",
          "attackComplexity": "LOW",
          "attackRequirements": "NONE",
          "attackVector": "LOCAL",
          "availabilityRequirement": "NOT_DEFINED",
          "baseScore": 6.9,
          "baseSeverity": "MEDIUM",
          "confidentialityRequirement": "NOT_DEFINED",
          "exploitMaturity": "NOT_DEFINED",
          "integrityRequirement": "NOT_DEFINED",
          "modifiedAttackComplexity": "NOT_DEFINED",
          "modifiedAttackRequirements": "NOT_DEFINED",
          "modifiedAttackVector": "NOT_DEFINED",
          "modifiedPrivilegesRequired": "NOT_DEFINED",
          "modifiedSubAvailabilityImpact": "NOT_DEFINED",
          "modifiedSubConfidentialityImpact": "NOT_DEFINED",
          "modifiedSubIntegrityImpact": "NOT_DEFINED",
          "modifiedUserInteraction": "NOT_DEFINED",
          "modifiedVulnAvailabilityImpact": "NOT_DEFINED",
          "modifiedVulnConfidentialityImpact": "NOT_DEFINED",
          "modifiedVulnIntegrityImpact": "NOT_DEFINED",
          "privilegesRequired": "LOW",
          "providerUrgency": "NOT_DEFINED",
          "subAvailabilityImpact": "NONE",
          "subConfidentialityImpact": "NONE",
          "subIntegrityImpact": "NONE",
          "userInteraction": "NONE",
          "valueDensity": "NOT_DEFINED",
          "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
          "version": "4.0",
          "vulnAvailabilityImpact": "HIGH",
          "vulnConfidentialityImpact": "NONE",
          "vulnIntegrityImpact": "HIGH",
          "vulnerabilityResponseEffort": "NOT_DEFINED"
        },
        "source": "disclosure@vulncheck.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-03-11T14:16:28.580",
  "references": [
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/openclaw/openclaw/commit/61f646c41fb43cd87ed48f9125b4718a30d38e84"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w"
    },
    {
      "source": "disclosure@vulncheck.com",
      "tags": [
        "Broken Link"
      ],
      "url": "https://www.vulncheck.com/advisories/openclaw-command-injection-via-newline-in-systemd-unit-generation"
    },
    {
      "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
      "tags": [
        "Exploit",
        "Vendor Advisory"
      ],
      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w"
    }
  ],
  "sourceIdentifier": "disclosure@vulncheck.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        }
      ],
      "source": "disclosure@vulncheck.com",
      "type": "Secondary"
    }
  ]
}

WID-SEC-W-2026-0472

Vulnerability from csaf_certbund - Published: 2026-02-22 23:00 - Updated: 2026-03-11 23:00

Summary

OpenClaw: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

OpenClaw ist ein persönlicher KI-Assistent zur Ausführung auf eigenen Geräten.

Angriff

Ein Angreifer kann mehrere Schwachstellen in OpenClaw ausnutzen, um beliebigen Programmcode auszuführen, sich erhöhte Berechtigungen zu verschaffen, Daten zu manipulieren, einen Denial-of-Service-Zustand auszulösen, Sicherheitsmaßnahmen zu umgehen, vertrauliche Informationen offenzulegen oder andere nicht näher spezifizierte Angriffe durchzuführen.

Betroffene Betriebssysteme

- Sonstiges - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "mittel"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "OpenClaw ist ein pers\u00f6nlicher KI-Assistent zur Ausf\u00fchrung auf eigenen Ger\u00e4ten.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in OpenClaw ausnutzen, um beliebigen Programmcode auszuf\u00fchren, sich erh\u00f6hte Berechtigungen zu verschaffen, Daten zu manipulieren, einen Denial-of-Service-Zustand auszul\u00f6sen, Sicherheitsma\u00dfnahmen zu umgehen, vertrauliche Informationen offenzulegen oder andere nicht n\u00e4her spezifizierte Angriffe durchzuf\u00fchren.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0472 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0472.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0472 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0472"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-25gx-x37c-7pph"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2fgq-7j6h-9rm4"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2hm8-rqrm-xfjq"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2mc2-g238-722j"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2prf-9cw7-fq62"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2rgf-hm63-5qph"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3cvx-236h-m9fj"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3x3x-h76w-hp98"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3xfw-4pmr-4xc5"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-43x4-g22p-3hrq"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-45cg-2683-gfmq"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4cqv-h74h-93j4"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4gc7-qcvf-38wg"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4rqq-w8v4-7p47"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-56pc-6hvp-4gv4"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5847-rm3g-23mw"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5ghc-98wh-gwwf"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5h2c-8v84-qpvr"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5mx2-2mgw-x8rm"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5v6x-rfc3-7qfr"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-62f6-mrcj-v8h5"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-65rx-fvh6-r4h2"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6j27-pc5c-m8w8"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-74xj-763f-264w"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7fcc-cw49-xm78"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8cp7-rp8r-mg77"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security A)dvisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8fmp-37rc-p5g7"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9p38-94jf-hgjj"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cjv3-m589-v3rx"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f6h3-846h-2r8w"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-f8mp-vj46-cq8v"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-fg3m-vhrr-8gj6"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-gq83-8q7q-9hfx"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hff7-ccv5-52f8"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jj82-76v6-933r"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jjgj-cpp9-cvpv"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jq4x-98m3-ggq6"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jwf4-8wf4-jf2m"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mfg5-7q5g-f37j"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-mqr9-vqhq-3jxw"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rx3g-mvc3-qfjf"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rxxp-482v-7mrh"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v3j7-34xh-6g3w"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-v6x2-2qvm-6gv8"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vmqr-rc7x-3446"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vvjh-f6p9-5vcf"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w7j5-j98m-w679"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w9cg-v44m-4qv8"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wpph-cjgr-7c39"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x2g4-7mj7-2hhj"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-x9cf-3w63-rpq9"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xgf2-vxv2-rrmg"
      },
      {
        "category": "external",
        "summary": "OpenClaw Security Advisories vom 2026-02-22",
        "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xwcr-v472-8hhr"
      }
    ],
    "source_lang": "en-US",
    "title": "OpenClaw: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-03-11T23:00:00.000+00:00",
      "generator": {
        "date": "2026-03-12T06:11:45.572+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0472",
      "initial_release_date": "2026-02-22T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-02-22T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-03-11T23:00:00.000+00:00",
          "number": "2",
          "summary": "CVE-2026-32061, CVE-2026-32062, CVE-2026-32063 erg\u00e4nzt"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c2026.2.22",
                "product": {
                  "name": "Open Source OpenClaw \u003c2026.2.22",
                  "product_id": "T051067"
                }
              },
              {
                "category": "product_version",
                "name": "2026.2.22",
                "product": {
                  "name": "Open Source OpenClaw 2026.2.22",
                  "product_id": "T051067-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:openclaw:openclaw:2026.2.22"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "OpenClaw"
          }
        ],
        "category": "vendor",
        "name": "Open Source"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-27158",
      "product_status": {
        "known_affected": [
          "T051067"
        ]
      },
      "release_date": "2026-02-22T23:00:00.000+00:00",
      "title": "CVE-2026-27158"
    },
    {
      "cve": "CVE-2026-27159",
      "product_status": {
        "known_affected": [
          "T051067"
        ]
      },
      "release_date": "2026-02-22T23:00:00.000+00:00",
      "title": "CVE-2026-27159"
    },
    {
      "cve": "CVE-2026-27164",
      "product_status": {
        "known_affected": [
          "T051067"
        ]
      },
      "release_date": "2026-02-22T23:00:00.000+00:00",
      "title": "CVE-2026-27164"
    },
    {
      "cve": "CVE-2026-27165",
      "product_status": {
        "known_affected": [
          "T051067"
        ]
      },
      "release_date": "2026-02-22T23:00:00.000+00:00",
      "title": "CVE-2026-27165"
    },
    {
      "cve": "CVE-2026-27209",
      "product_status": {
        "known_affected": [
          "T051067"
        ]
      },
      "release_date": "2026-02-22T23:00:00.000+00:00",
      "title": "CVE-2026-27209"
    },
    {
      "cve": "CVE-2026-32061",
      "product_status": {
        "known_affected": [
          "T051067"
        ]
      },
      "release_date": "2026-02-22T23:00:00.000+00:00",
      "title": "CVE-2026-32061"
    },
    {
      "cve": "CVE-2026-32062",
      "product_status": {
        "known_affected": [
          "T051067"
        ]
      },
      "release_date": "2026-02-22T23:00:00.000+00:00",
      "title": "CVE-2026-32062"
    },
    {
      "cve": "CVE-2026-32063",
      "product_status": {
        "known_affected": [
          "T051067"
        ]
      },
      "release_date": "2026-02-22T23:00:00.000+00:00",
      "title": "CVE-2026-32063"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-32063 (GCVE-0-2026-32063)

GHSA-VFFC-F7R7-RX2W

Summary

Details

PoC

Impact

Fix Commit(s)

FKIE_CVE-2026-32063

WID-SEC-W-2026-0472

Tags

Sightings

Nomenclature