Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OpenClaw 2026.2.19-2 Allows Remote Code Injection
GHSA-82g8-464f-2mv7
Summary
A security issue in OpenClaw's Skill Env Handler component allows hackers to inject malicious code remotely. This could lead to unauthorized access and potentially disrupt the system. To fix this, update to OpenClaw version 2026.2.21-beta.1, which is available now.
What to do
- Update steipete openclaw to version 2026.2.21.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.21 | 2026.2.21 |
Original title
A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to...
Original description
A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component.
ghsa CVSS4.0
5.1
Vulnerability type
CWE-15
CWE-94
Code Injection
CWE-1341
CWE-74
Injection
- https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7
- https://github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9...
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.21
- https://github.com/advisories/GHSA-82g8-464f-2mv7
- https://github.com/openclaw/openclaw/
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.21-beta.1
- https://vuldb.com/?ctiid.350651
- https://vuldb.com/?id.350651
- https://vuldb.com/?submit.769580
- https://nvd.nist.gov/vuln/detail/CVE-2026-4039
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026