CVE-2026-32063

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.2.19-2 through 2026.2.21

Description OpenClaw contains a command injection issue in the systemd unit file generation process. Attacker-controlled environment values are not properly validated for CR/LF characters, allowing for newline injection. This injection can break out of Environment= lines and introduce arbitrary systemd directives. An attacker who can influence the config.env.vars file and trigger a service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user. The issue stems from insufficient validation of environment keys and values before writing unit lines, and an incorrect whitespace-matching regex in systemdEscapeArg(). The vulnerable code resides in src/daemon/systemd-unit.ts, src/commands/daemon-install-helpers.ts, src/config/env-vars.ts, and src/config/zod-schema.ts. The vulnerability is triggered when an attacker can control config.env.vars, invoke the install/reinstall path, and restart the service using systemctl --user restart. The Environment= parameter is vulnerable, and the systemdEscapeArg() function is involved in the exploitation chain.

Recommendations OpenClaw versions 2026.2.19-2 through 2026.2.21 should be updated to version 2026.2.21 or later.