OS Command Injection in OpenClaw - CVE-2026-22176
Published: May 1, 2026
Vulnerability identifier: #VU128848
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-22176
CWE-ID: CWE-78
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: OpenClaw
Affected software:
OpenClaw
OpenClaw
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary commands.
The vulnerability exists due to command injection in gateway.cmd generation in src/daemon/schtasks.ts when processing config-provided environment variable values for Windows Scheduled Task installation. A remote user can supply specially crafted environment variable values containing shell metacharacters to execute arbitrary commands.
Exploitation requires the attacker to influence environment values before gateway install or reinstall on Windows.
How to mitigate CVE-2026-22176
Install security update from vendor's website.