CVE-2026-32063
Command Injection in OpenClaw systemd Unit File Generation
Publication date: 2026-03-11
Last updated on: 2026-03-16
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.21 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-77 | The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32063 is a local command injection vulnerability in OpenClaw versions prior to 2026.2.21. It occurs during the generation of systemd unit files where environment variable values are not properly validated for carriage return (CR) and line feed (LF) characters. This lack of validation allows an attacker who can influence environment variables to inject newline characters, breaking out of the intended Environment= lines and inserting arbitrary systemd directives.
Because systemd parses unit files line-by-line, the injected directives can be executed when the service is restarted, enabling the attacker to run arbitrary commands with the privileges of the OpenClaw gateway service user.
The root cause is improper neutralization of special characters in environment variables and incorrect escaping logic in the code responsible for rendering these unit files.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': 'This vulnerability allows a local attacker who can modify OpenClaw environment variables and trigger a service reinstall or restart to execute arbitrary commands on the affected system.'}, {'type': 'paragraph', 'content': "The commands run with the privileges of the OpenClaw gateway service user, which could lead to unauthorized actions such as creating files, modifying system configurations, or escalating privileges depending on the service user's permissions."}, {'type': 'paragraph', 'content': 'Successful exploitation could compromise the integrity and availability of the system running OpenClaw, potentially leading to further attacks or system disruption.'}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your system is running a vulnerable version of OpenClaw (versions prior to 2026.2.21) and by inspecting the environment variables used in systemd unit files for the presence of carriage return (CR) or line feed (LF) characters that could allow newline injection.'}, {'type': 'paragraph', 'content': 'You can look for suspicious environment variable entries in the OpenClaw systemd unit files that contain unexpected newline characters or injected systemd directives such as ExecStartPre=.'}, {'type': 'paragraph', 'content': 'Suggested commands to help detect exploitation or presence of this vulnerability include:'}, {'type': 'list_item', 'content': 'Check the OpenClaw version installed: `openclaw --version` or check package version.'}, {'type': 'list_item', 'content': 'Inspect the systemd user service unit files for injected directives or suspicious environment variables, for example: `systemctl --user cat openclaw.service`'}, {'type': 'list_item', 'content': 'Search for suspicious files created by potential injected commands, e.g., `ls -l /tmp/oc15789_rce` (as per example injection).'}, {'type': 'list_item', 'content': "Check environment variable configurations for CR/LF characters by dumping environment variables related to OpenClaw and searching for newline characters, e.g.: `grep -P '\\r|\\n' /path/to/config.env.vars` or similar."}, {'type': 'list_item', 'content': 'Monitor systemd user service restart logs for unusual activity or errors related to unit file parsing.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Upgrade OpenClaw to version 2026.2.21 or later, where the vulnerability has been fixed by enforcing validation against CR/LF characters in environment variables and improving argument escaping.
- Avoid allowing untrusted users to modify or influence the OpenClaw environment variables configuration (`config.env.vars`).
- If upgrading immediately is not possible, manually audit and sanitize environment variable values to ensure they do not contain carriage return or line feed characters before service installation or restart.
- After applying fixes or sanitization, restart the OpenClaw systemd user service to ensure no injected directives are executed.
- Review and restrict permissions on configuration files and service restart capabilities to limit attacker ability to trigger the vulnerability.