CVE-2026-31994

EPSS 0.05%

OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling

發布日:2026/3/3修改日:2026/3/19

描述

### Summary OpenClaw Windows Scheduled Task script generation allowed unsafe argument handling in generated `gateway.cmd` files. In vulnerable versions, cmd metacharacter-only values could be emitted without safe quoting/escaping, which could lead to unintended command execution when the scheduled task runs. ### Details The issue affected Windows daemon startup script generation in `src/daemon/schtasks.ts`. Vulnerable behavior included: - Incomplete cmd argument quoting for metacharacter-only values. - Incomplete handling of cmd expansion-sensitive characters in script arguments. - Missing CR/LF guards for script-rendered fields. The fix hardens Windows script generation by: - Separating schtasks argument quoting from batch script argument quoting. - Quoting cmd metacharacter arguments and escaping `%` / `!` expansion cases. - Rejecting CR/LF in command arguments, task descriptions, and rendered environment assignments. - Adding regression tests for metacharacter and line-break injection paths. ### Impact This issue is local to Windows deployments and requires control over values that feed service script generation (for example install-time/runtime arguments or environment-derived values). It can result in unintended command execution in the scheduled task context. ### Affected Packages / Versions - Package: `openclaw` (npm) - Vulnerable versions: `<= 2026.2.17` - Patched version: `>= 2026.2.19` (planned next npm release) - Latest published npm version at update time (2026-02-19): `2026.2.17` ### Fix Commit(s) - `280c6b117b2f0e24f398e5219048cd4cc3b82396` OpenClaw thanks @tdjackey for reporting.

受影響套件(1)

CVSS 分數

來源版本嚴重程度向量
osvCVSS 4.0CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

參考連結(5)