Cyber Posture

CVE-2026-32063

HighPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score 7.1 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
EPSS Score 0.0011 28.5th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32063 is a high-severity Command Injection (CWE-77) vulnerability in Openclaw Openclaw. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 28.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploitation for Privilege Escalation (T1068) and 2 other techniques.
Threat & Defense Details

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1543.002 Systemd Service Persistence
Adversaries may create or modify systemd services to repeatedly execute malicious payloads as part of persistence.
attack.mitre.org →
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
attack.mitre.org →
Why these techniques?

Local command injection via newline in systemd unit generation directly enables privilege escalation (T1068) by allowing arbitrary directive injection into service units (T1543.002) for Unix shell command execution (T1059.004) as the service user.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

OpenClaw version 2026.2.19-2 prior to 2026.2.21 contains a command injection vulnerability in systemd unit file generation where attacker-controlled environment values are not validated for CR/LF characters, allowing newline injection to break out of Environment= lines and inject arbitrary systemd directives.…

more

An attacker who can influence config.env.vars and trigger service install or restart can execute arbitrary commands with the privileges of the OpenClaw gateway service user.

Deeper analysisAI

CVE-2026-32063 is a command injection vulnerability in OpenClaw versions 2026.2.19-2 prior to 2026.2.21, specifically affecting the systemd unit file generation process. The flaw arises because attacker-controlled environment values from config.env.vars are not validated for CR/LF characters, enabling newline injection. This allows attackers to break out of Environment= lines in the generated systemd unit files and inject arbitrary systemd directives, classified under CWE-77 with a CVSS v3.1 base score of 7.1 (AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H).

An attacker requires local access with low privileges (PR:L) to exploit this vulnerability. By influencing the config.env.vars and triggering a service install or restart, the attacker can execute arbitrary commands with the privileges of the OpenClaw gateway service user, potentially leading to integrity and availability impacts.

Advisories and the referenced patch commit recommend upgrading to OpenClaw version 2026.2.21 or later, where the fix is implemented in GitHub commit 61f646c41fb43cd87ed48f9125b4718a30d38e84. Additional details are available in the GitHub Security Advisory GHSA-vffc-f7r7-rx2w and VulnCheck advisory on the issue.

Details

CWE(s)
CWE-77

Affected Products

openclaw
openclaw
≤ 2026.2.21

CVEs Like This One

CVE-2026-32052Same product: Openclaw Openclaw
CVE-2026-32032Same product: Openclaw Openclaw
CVE-2026-32023Same product: Openclaw Openclaw
CVE-2026-35666Same product: Openclaw Openclaw
CVE-2026-27001Same product: Openclaw Openclaw
CVE-2026-35645Same product: Openclaw Openclaw
CVE-2026-33577Same product: Openclaw Openclaw
CVE-2026-32915Same product: Openclaw Openclaw
CVE-2026-35663Same product: Openclaw Openclaw
CVE-2026-42432Same product: Openclaw Openclaw

References