CVE-2026-32063
Received Received - Intake
Command Injection in OpenClaw systemd Unit File Generation

Publication date: 2026-03-11

Last updated on: 2026-03-16

Assigner: VulnCheck

Description
OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives. An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-11
Last Modified
2026-03-16
Generated
2026-06-16
AI Q&A
2026-03-11
EPSS Evaluated
2026-06-14
NVD
CVE-2026-32063
EUVD
EUVD-2026-11156
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.2.21 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32063 is a local command injection vulnerability in OpenClaw versions prior to 2026.2.21. It occurs during the generation of systemd unit files where environment variable values are not properly validated for carriage return (CR) and line feed (LF) characters. This lack of validation allows an attacker who can influence environment variables to inject newline characters, breaking out of the intended Environment= lines and inserting arbitrary systemd directives.

Because systemd parses unit files line-by-line, the injected directives can be executed when the service is restarted, enabling the attacker to run arbitrary commands with the privileges of the OpenClaw gateway service user.

The root cause is improper neutralization of special characters in environment variables and incorrect escaping logic in the code responsible for rendering these unit files.

Impact Analysis

[{'type': 'paragraph', 'content': 'This vulnerability allows a local attacker who can modify OpenClaw environment variables and trigger a service reinstall or restart to execute arbitrary commands on the affected system.'}, {'type': 'paragraph', 'content': "The commands run with the privileges of the OpenClaw gateway service user, which could lead to unauthorized actions such as creating files, modifying system configurations, or escalating privileges depending on the service user's permissions."}, {'type': 'paragraph', 'content': 'Successful exploitation could compromise the integrity and availability of the system running OpenClaw, potentially leading to further attacks or system disruption.'}] [1]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your system is running a vulnerable version of OpenClaw (versions prior to 2026.2.21) and by inspecting the environment variables used in systemd unit files for the presence of carriage return (CR) or line feed (LF) characters that could allow newline injection.'}, {'type': 'paragraph', 'content': 'You can look for suspicious environment variable entries in the OpenClaw systemd unit files that contain unexpected newline characters or injected systemd directives such as ExecStartPre=.'}, {'type': 'paragraph', 'content': 'Suggested commands to help detect exploitation or presence of this vulnerability include:'}, {'type': 'list_item', 'content': 'Check the OpenClaw version installed: `openclaw --version` or check package version.'}, {'type': 'list_item', 'content': 'Inspect the systemd user service unit files for injected directives or suspicious environment variables, for example: `systemctl --user cat openclaw.service`'}, {'type': 'list_item', 'content': 'Search for suspicious files created by potential injected commands, e.g., `ls -l /tmp/oc15789_rce` (as per example injection).'}, {'type': 'list_item', 'content': "Check environment variable configurations for CR/LF characters by dumping environment variables related to OpenClaw and searching for newline characters, e.g.: `grep -P '\\r|\\n' /path/to/config.env.vars` or similar."}, {'type': 'list_item', 'content': 'Monitor systemd user service restart logs for unusual activity or errors related to unit file parsing.'}] [1]

Mitigation Strategies

Immediate mitigation steps include:

  • Upgrade OpenClaw to version 2026.2.21 or later, where the vulnerability has been fixed by enforcing validation against CR/LF characters in environment variables and improving argument escaping.
  • Avoid allowing untrusted users to modify or influence the OpenClaw environment variables configuration (`config.env.vars`).
  • If upgrading immediately is not possible, manually audit and sanitize environment variable values to ensure they do not contain carriage return or line feed characters before service installation or restart.
  • After applying fixes or sanitization, restart the OpenClaw systemd user service to ensure no injected directives are executed.
  • Review and restrict permissions on configuration files and service restart capabilities to limit attacker ability to trigger the vulnerability.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32063. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart