GHSA-PJ5X-38RW-6FPH
Vulnerability from github – Published: 2026-03-03 21:50 – Updated: 2026-03-20 21:35Summary
A command injection vulnerability existed in Windows Scheduled Task script generation for OpenClaw. Environment values were written into gateway.cmd using unquoted set KEY=VALUE, which allowed Windows shell metacharacters in config-provided environment variables to break out of assignment context.
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.17 - Patched version:
>= 2026.2.19 - Latest published vulnerable version at review time (2026-02-19):
2026.2.17
Practical Risk Context
For a single-user, localhost-only setup on a personally controlled machine, practical risk is typically low.
This issue becomes materially relevant when configuration or environment values are sourced from less-trusted inputs, for example:
- shared/team config templates,
- copied config snippets,
- setup scripts, automation, or repos that write config,
- any workflow where another party can influence env values before gateway install/reinstall.
In those scenarios, it provides a reliable config-to-command-execution path when the scheduled task script is generated and run.
Details
On Windows, gateway service installation writes a helper batch script and then registers it via Scheduled Task (schtasks).
Before the fix, env lines were rendered as set KEY=VALUE in src/daemon/schtasks.ts, so values containing metacharacters (for example &, |, ^, %, !) could alter command behavior in cmd.exe.
The fix now renders quoted assignments (set "KEY=VALUE") with explicit escaping for cmd metacharacters, updates parser compatibility for quoted assignments, and adds regression tests for metacharacter handling and round-trip parsing.
Fix Commit(s)
dafe52e8cf1a041d898cfb304a485fa05e5f58fb
OpenClaw thanks @tdjackey for reporting.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2026.2.17"
},
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2026.2.19"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22176"
],
"database_specific": {
"cwe_ids": [
"CWE-78"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-03T21:50:05Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nA command injection vulnerability existed in Windows Scheduled Task script generation for OpenClaw. Environment values were written into `gateway.cmd` using unquoted `set KEY=VALUE`, which allowed Windows shell metacharacters in config-provided environment variables to break out of assignment context.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Affected versions: `\u003c= 2026.2.17`\n- Patched version: `\u003e= 2026.2.19`\n- Latest published vulnerable version at review time (2026-02-19): `2026.2.17`\n\n### Practical Risk Context\nFor a single-user, localhost-only setup on a personally controlled machine, practical risk is typically low.\n\nThis issue becomes materially relevant when configuration or environment values are sourced from less-trusted inputs, for example:\n- shared/team config templates,\n- copied config snippets,\n- setup scripts, automation, or repos that write config,\n- any workflow where another party can influence env values before `gateway install`/reinstall.\n\nIn those scenarios, it provides a reliable config-to-command-execution path when the scheduled task script is generated and run.\n\n### Details\nOn Windows, gateway service installation writes a helper batch script and then registers it via Scheduled Task (`schtasks`).\nBefore the fix, env lines were rendered as `set KEY=VALUE` in `src/daemon/schtasks.ts`, so values containing metacharacters (for example `\u0026`, `|`, `^`, `%`, `!`) could alter command behavior in `cmd.exe`.\n\nThe fix now renders quoted assignments (`set \"KEY=VALUE\"`) with explicit escaping for cmd metacharacters, updates parser compatibility for quoted assignments, and adds regression tests for metacharacter handling and round-trip parsing.\n\n### Fix Commit(s)\n- `dafe52e8cf1a041d898cfb304a485fa05e5f58fb`\n\nOpenClaw thanks @tdjackey for reporting.",
"id": "GHSA-pj5x-38rw-6fph",
"modified": "2026-03-20T21:35:48Z",
"published": "2026-03-03T21:50:05Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pj5x-38rw-6fph"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22176"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/dafe52e8cf1a041d898cfb304a485fa05e5f58fb"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/openclaw-command-injection-via-unescaped-environment-variables-in-windows-scheduled-task"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "OpenClaw has a Command Injection via unescaped environment assignments in Windows Scheduled Task script generation"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.