CVE-2026-31994 Overview
CVE-2026-31994 is a local command injection vulnerability affecting OpenClaw versions prior to 2026.2.19. The vulnerability exists in the Windows scheduled task script generation functionality due to unsafe handling of cmd metacharacters and expansion-sensitive characters in gateway.cmd files. Local attackers with control over service script generation arguments can inject arbitrary commands by providing metacharacter-only values or CR/LF sequences that execute unintended code in the scheduled task context.
Critical Impact
Local attackers can achieve arbitrary command execution within the Windows scheduled task context, potentially leading to system compromise, privilege escalation, or persistent access on affected Windows systems running vulnerable OpenClaw versions.
Affected Products
- OpenClaw versions prior to 2026.2.19 (Node.js package)
- Microsoft Windows (as the target operating system)
Discovery Timeline
- 2026-03-19 - CVE-2026-31994 published to NVD
- 2026-03-19 - Last updated in NVD database
Technical Details for CVE-2026-31994
Vulnerability Analysis
This vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command), commonly known as OS Command Injection. The flaw resides in the schtasks.ts daemon component responsible for generating Windows scheduled task scripts.
The core issue stems from inadequate input sanitization when constructing command-line arguments for Windows batch scripts. The original quoteCmdArg function failed to properly handle several categories of dangerous characters:
- CR/LF Sequences: Carriage return (\r) and line feed (\n) characters could be injected to break out of the intended command context and inject new commands on separate lines
- CMD Metacharacters: Special characters like %, !, &, |, <, >, ^, (, and ) were not properly escaped, allowing command chaining and redirection
- Empty Values: Metacharacter-only inputs could result in empty quoted strings that alter command parsing behavior
Root Cause
The root cause is insufficient input validation and improper escaping of user-controlled input when generating Windows CMD script content. The original quoteCmdArg function only handled spaces, tabs, and double quotes, leaving critical CMD metacharacters and line break sequences unescaped. This allowed attackers who could influence script generation arguments to inject arbitrary commands into the generated scheduled task scripts.
Attack Vector
This is a local attack vector requiring the attacker to have local access to the system and the ability to control arguments passed to the service script generation functionality. Exploitation does not require user interaction but does require low-level privileges on the target system.
An attacker could craft malicious input containing:
- CR/LF sequences to inject new command lines
- CMD metacharacters (&, |, etc.) for command chaining
- Environment variable expansion characters (%, !) for variable manipulation
When the vulnerable scheduled task script is executed by Windows Task Scheduler, the injected commands run in the security context of the scheduled task.
// Security patch in src/daemon/schtasks.ts - fix(daemon): harden windows schtasks script quoting
return path.join(stateDir, scriptName);
}
-function quoteCmdArg(value: string): string {
+function assertNoCmdLineBreak(value: string, field: string): void {
+ if (/[\r\n]/.test(value)) {
+ throw new Error(`${field} cannot contain CR or LF in Windows task scripts.`);
+ }
+}
+
+function quoteSchtasksArg(value: string): string {
if (!/[ \t"]/g.test(value)) {
return value;
}
return `"${value.replace(/"/g, '\\"')}"`;
}
+function quoteCmdScriptArg(value: string): string {
+ assertNoCmdLineBreak(value, "Command argument");
+ if (!value) {
+ return '""';
+ }
+ const escaped = value.replace(/"/g, '\\"').replace(/%/g, "%%").replace(/!/g, "^!");
+ if (!/[ \t"&|<>^()%!]/g.test(value)) {
+ return escaped;
+ }
+ return `"${escaped}"`;
+}
+
+function unescapeCmdScriptArg(value: string): string {
Source: GitHub Commit
Detection Methods for CVE-2026-31994
Indicators of Compromise
- Presence of gateway.cmd files containing unexpected command sequences or multiple command separators (&, |, &&, ||)
- Scheduled task scripts with embedded CR/LF characters or unusual line structures
- Windows Task Scheduler logs showing unexpected command executions originating from OpenClaw-related tasks
- Suspicious process spawning from scheduled task contexts that deviate from expected OpenClaw behavior
Detection Strategies
- Monitor Windows Task Scheduler for tasks associated with OpenClaw that execute unexpected commands or spawn child processes
- Implement file integrity monitoring on gateway.cmd and related scheduled task script files for unauthorized modifications
- Deploy endpoint detection rules to identify command injection patterns in CMD script arguments, particularly sequences containing %, !, &, |, or CR/LF characters
- Review OpenClaw service logs for errors related to argument parsing or script generation failures
Monitoring Recommendations
- Enable Windows Process Creation auditing (Event ID 4688) with command-line logging to capture scheduled task executions
- Configure SentinelOne Singularity to monitor for suspicious command chaining patterns in scheduled task contexts
- Implement behavioral detection for processes spawned by Task Scheduler that attempt to execute reconnaissance or post-exploitation commands
- Audit and inventory all OpenClaw installations to identify systems running vulnerable versions prior to 2026.2.19
How to Mitigate CVE-2026-31994
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.19 or later immediately on all affected Windows systems
- Audit existing scheduled tasks created by OpenClaw for signs of tampering or injected commands
- Review and regenerate any gateway.cmd files created by vulnerable OpenClaw versions
- Restrict local access to systems running OpenClaw to minimize the attack surface for local privilege escalation
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.19. The fix introduces comprehensive input validation through the assertNoCmdLineBreak function that explicitly rejects CR/LF characters, and the new quoteCmdScriptArg function properly escapes CMD metacharacters including %, !, and other shell-sensitive characters.
Patch details are available in the GitHub Commit and the GitHub Security Advisory.
Workarounds
- If immediate patching is not possible, restrict local user access to systems running vulnerable OpenClaw versions
- Implement strict input validation at the application layer before passing arguments to OpenClaw service script generation
- Monitor and restrict permissions on directories where scheduled task scripts are generated
- Consider temporarily disabling OpenClaw scheduled task functionality until the patch can be applied
# Verify OpenClaw version and upgrade
npm list openclaw
npm update openclaw@2026.2.19
# Audit existing scheduled tasks for suspicious content
schtasks /query /fo LIST /v | findstr /i "openclaw"
# Review gateway.cmd files for injected commands
dir /s /b "gateway.cmd" 2>nul
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
