CVE-2026-32063: OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux)
(updated )
A command injection vulnerability exists in OpenClaw’s Linux systemd unit generation path.
When rendering Environment= entries, attacker-controlled values are not rejected for CR/LF, and systemdEscapeArg() uses an incorrect whitespace-matching regex. This allows newline injection to break out of an Environment= line and inject standalone systemd directives (for example, ExecStartPre=). On service restart, the injected command is executed, resulting in local arbitrary command execution (local RCE) under the gateway service user.
References
- github.com/advisories/GHSA-vffc-f7r7-rx2w
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/61f646c41fb43cd87ed48f9125b4718a30d38e84
- github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w
- nvd.nist.gov/vuln/detail/CVE-2026-32063
- www.vulncheck.com/advisories/openclaw-command-injection-via-newline-in-systemd-unit-generation
Code Behaviors & Features
Detect and mitigate CVE-2026-32063 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →