Description
OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives. An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user.
Published: 2026-03-11
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection
Action: Patch
AI Analysis

Impact

OpenClaw versions 2026.2.19-2 up to but not including 2026.2.21 contain a command injection flaw in the generation of systemd unit files. The flaw originates when attacker‑controlled environment variables are not validated for carriage return or line feed characters; newline injection can break out of Environment= lines and inject arbitrary systemd directives. When an attacker can influence the config.env.vars file and trigger a service install or restart, they can execute arbitrary systemd commands with the privileges of the OpenClaw gateway service user, potentially leading to unauthorized code execution and privilege escalation.

Affected Systems

The affected product is OpenClaw from the vendor openclaw:openclaw. Affected releases include versions 2026.2.19-2 through any build prior to 2026.2.21. The Common Platform Enumeration strings indicate the vulnerable package name (openclaw) and the affected version range.

Risk and Exploitability

The CVSS score of 6.9 indicates a medium severity vulnerability. The EPSS score is reported as less than 1%, suggesting a low exploitation probability at present. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector requires the ability to modify config.env.vars and trigger a service install or restart, implying a local or privileged attacker context. Once satisfied, the attacker can inject new systemd directives to execute arbitrary commands. No widely known public exploit has been documented; mitigation is strongly recommended.

Generated by OpenCVE AI on March 17, 2026 at 16:01 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update OpenClaw to version 2026.2.21 or later
  • Verify that any config.env.vars files contain only validated, safe values
  • If an update is not immediately possible, temporarily stop the OpenClaw gateway service until the vulnerability can be patched

Generated by OpenCVE AI on March 17, 2026 at 16:01 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vffc-f7r7-rx2w OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux)
History

Mon, 16 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

Thu, 12 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 11 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
Description OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives. An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user.
Title OpenClaw 2026.2.19-2 < 2026.2.21 - Command Injection via Newline in systemd Unit Generation
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-77
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:*:*:*
cpe:2.3:a:openclaw:openclaw:2026.2.21:*:*:*:*:*:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-11T14:35:38.033Z

Reserved: 2026-03-10T19:52:03.795Z

Link: CVE-2026-32063

cve-icon Vulnrichment

Updated: 2026-03-11T14:35:28.131Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T14:16:28.580

Modified: 2026-03-16T17:52:56.700

Link: CVE-2026-32063

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T14:37:13Z

Weaknesses