Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OpenClaw 2026.2.19-2: Remote code injection possible via skill configuration
CVE-2026-4039
Summary
A security issue in OpenClaw 2026.2.19-2 could allow an attacker to execute malicious code remotely. This means an attacker could potentially take control of your system. To fix this, update to version 2026.2.21-beta.1, which is available.
Original title
A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to...
Original description
A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component.
nvd CVSS2.0
6.5
nvd CVSS3.1
6.3
nvd CVSS4.0
5.3
Vulnerability type
CWE-74
Injection
CWE-94
Code Injection
- https://github.com/openclaw/openclaw/
- https://github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9...
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.21-beta.1
- https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7
- https://vuldb.com/?ctiid.350651
- https://vuldb.com/?id.350651
- https://vuldb.com/?submit.769580
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026