CVE-2026-22176 Overview
CVE-2026-22176 is a command injection vulnerability affecting OpenClaw versions prior to 2026.2.19. The vulnerability exists in the Windows Scheduled Task script generation functionality where environment variables are written to gateway.cmd using unquoted set KEY=VALUE assignments. This implementation flaw allows shell metacharacters to break out of the assignment context, enabling attackers to inject and execute arbitrary commands.
Attackers can exploit this vulnerability by crafting environment variable values containing Windows shell metacharacters such as &, |, ^, %, or !. When the scheduled task script is generated and subsequently executed, these metacharacters are interpreted by the Windows command processor, resulting in command execution beyond the intended scope of the environment variable assignment.
Critical Impact
Local attackers with low privileges can achieve arbitrary command execution through maliciously crafted environment variable values, potentially leading to system compromise, data manipulation, or further lateral movement within the affected environment.
Affected Products
- OpenClaw versions prior to 2026.2.19
- OpenClaw for Node.js (all platforms with Windows Scheduled Task functionality)
Discovery Timeline
- 2026-03-19 - CVE-2026-22176 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-22176
Vulnerability Analysis
This command injection vulnerability (CWE-78) stems from improper handling of environment variable values during Windows Scheduled Task script generation. The OpenClaw daemon creates .cmd batch files for scheduled task execution, writing environment variables using simple set KEY=VALUE syntax without proper escaping or quoting of the values.
In Windows batch scripting, certain metacharacters have special meaning and can alter command flow. When user-controlled data containing these characters is written directly into a .cmd file without sanitization, the command processor interprets them during execution. For example, an ampersand (&) allows command chaining, a pipe (|) enables command piping, and the caret (^) serves as an escape character that can be weaponized for injection.
The attack requires local access with low privileges, as the attacker must be able to influence the environment variable values that OpenClaw uses during script generation. However, no user interaction is required once the malicious values are in place—the scheduled task will execute the injected commands automatically when triggered.
Root Cause
The root cause is the use of unquoted set KEY=VALUE assignments when writing environment variables to the gateway.cmd scheduled task script. The vulnerable code path in src/daemon/schtasks.ts failed to escape or properly quote environment variable values before writing them to the batch file, allowing metacharacters to break out of the assignment context and execute arbitrary commands.
Attack Vector
The attack vector is local, requiring an attacker with low-level privileges to set or influence environment variable values that will be processed by OpenClaw's scheduled task generation functionality. The attacker crafts environment variable values containing shell metacharacters that, when written to the .cmd file and executed, perform unintended actions.
For example, an environment variable value like normalvalue & whoami > C:\temp\output.txt would cause the whoami command to execute and write its output to a file when the scheduled task runs.
import fs from "node:fs/promises";
import path from "node:path";
-import { splitArgsPreservingQuotes } from "./arg-split.js";
-import { resolveGatewayServiceDescription, resolveGatewayWindowsTaskName } from "./constants.js";
-import { formatLine, writeFormattedLines } from "./output.js";
-import { resolveGatewayStateDir } from "./paths.js";
-import { parseKeyValueOutput } from "./runtime-parse.js";
-import { execSchtasks } from "./schtasks-exec.js";
import type { GatewayServiceRuntime } from "./service-runtime.js";
import type {
GatewayServiceCommandConfig,
Source: GitHub Commit Update
Detection Methods for CVE-2026-22176
Indicators of Compromise
- Unexpected content in gateway.cmd files containing shell metacharacters (&, |, ^, %, !) in environment variable assignments
- Scheduled task execution logs showing commands beyond expected OpenClaw operations
- Suspicious process creation events originating from OpenClaw scheduled task scripts
- Modified or newly created files in unexpected locations following scheduled task execution
Detection Strategies
- Monitor Windows Scheduled Task creation and modification events for tasks associated with OpenClaw
- Implement file integrity monitoring on .cmd files generated by OpenClaw in the gateway state directory
- Analyze Windows Event Logs for process creation events (Event ID 4688) where the parent process is a scheduled task and the command line contains unexpected metacharacters
- Deploy endpoint detection rules to identify batch file execution with command chaining or piping patterns
Monitoring Recommendations
- Enable and collect Windows Security Event logs with command-line process creation auditing
- Configure SentinelOne behavioral AI to detect anomalous command execution patterns from scheduled tasks
- Establish baseline of normal OpenClaw scheduled task behavior and alert on deviations
- Monitor environment variable modifications on systems running OpenClaw
How to Mitigate CVE-2026-22176
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.19 or later, which includes the security fix for proper environment variable escaping
- Review existing OpenClaw installations for any .cmd files containing suspicious content
- Audit environment variables on systems running OpenClaw for unexpected metacharacters
- Temporarily disable OpenClaw scheduled tasks until patching is complete if exploitation is suspected
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.19. The fix modifies the src/daemon/schtasks.ts file to properly escape environment variable values before writing them to the scheduled task batch files. The security patch is available via the GitHub Commit Update. Additional details are available in the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, restrict access to OpenClaw configuration and environment variable settings to trusted administrators only
- Implement strict input validation at the application layer for any values that could become environment variables
- Use Windows Group Policy to restrict scheduled task creation and modification permissions
- Monitor and audit all scheduled task scripts before execution using file integrity monitoring solutions
# Verify OpenClaw version and check for vulnerable installations
npm list openclaw
# Update OpenClaw to the patched version
npm update openclaw@2026.2.19
# Review generated scheduled task scripts for suspicious content
findstr /R /C:"[&|^%!]" C:\path\to\openclaw\gateway.cmd
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
