CVE-2026-32907

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.19

Description The software contains a local command injection issue in the Windows scheduled task script generation. An attacker can execute arbitrary commands by injecting cmd metacharacters into arguments of the gateway.cmd script. An attacker who controls the service script generation values can inject unescaped metacharacters or expansion-sensitive characters to achieve unintended command execution within the scheduled task context.

Recommendations Update to version 2026.2.19 or later.