CVE-2026-32907

OpenClaw before 2026.2.19 contains a local command injection vulnerability in Windows scheduled task script generation that allows attackers to execute arbitrary commands by injecting cmd metacharacters into unsafe gateway.cmd arguments. Attackers with control over service script generation values can inject unescaped metacharacters or expansion-sensitive characters to achieve unintended command execution in the scheduled task context.