GHSA-mqr9-vqhq-3jxw: OpenClaw Windows Scheduled Task script generation allowed local command injection via unsafe cmd argument handling

March 3, 2026

OpenClaw Windows Scheduled Task script generation allowed unsafe argument handling in generated gateway.cmd files. In vulnerable versions, cmd metacharacter-only values could be emitted without safe quoting/escaping, which could lead to unintended command execution when the scheduled task runs.

References

github.com/advisories/GHSA-mqr9-vqhq-3jxw
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/280c6b117b2f0e24f398e5219048cd4cc3b82396
github.com/openclaw/openclaw/security/advisories/GHSA-mqr9-vqhq-3jxw

Code Behaviors & Features

Detect and mitigate GHSA-mqr9-vqhq-3jxw with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →