CVE-2026-31994

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.19

Description OpenClaw Windows scheduled task script generation has a local command injection issue due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script generation arguments can inject arbitrary commands by providing metacharacter-only values or CR/LF sequences, leading to unintended code execution in the scheduled task context. The issue stems from incomplete cmd argument quoting, handling of expansion-sensitive characters, and missing CR/LF guards in the script generation process, specifically within src/daemon/schtasks.ts. The fix involves separating schtasks argument quoting, quoting cmd metacharacter arguments, escaping expansion cases, rejecting CR/LF characters in arguments and descriptions, and adding regression tests.

Recommendations OpenClaw versions prior to 2026.2.19 should be updated to version 2026.2.19 or later.