GHSA-vffc-f7r7-rx2w: OpenClaw Improperly Neutralizes Line Breaks in systemd Unit Generation Enables Local Command Execution (Linux)

March 3, 2026

A command injection vulnerability exists in OpenClaw’s Linux systemd unit generation path. When rendering Environment= entries, attacker-controlled values are not rejected for CR/LF, and systemdEscapeArg() uses an incorrect whitespace-matching regex. This allows newline injection to break out of an Environment= line and inject standalone systemd directives (for example, ExecStartPre=). On service restart, the injected command is executed, resulting in local arbitrary command execution (local RCE) under the gateway service user.

References

github.com/advisories/GHSA-vffc-f7r7-rx2w
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/61f646c41fb43cd87ed48f9125b4718a30d38e84
github.com/openclaw/openclaw/security/advisories/GHSA-vffc-f7r7-rx2w

Code Behaviors & Features

Detect and mitigate GHSA-vffc-f7r7-rx2w with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →