Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
OpenClaw: Malicious Code Can Be Injected Via Skill Configuration
GHSA-wgx8-r9vw-2w4h
Summary
OpenClaw version 2026.2.19-2 has a security flaw that allows attackers to inject malicious code. This could happen if an attacker manipulates the skill configuration. To fix this, upgrade to OpenClaw version 2026.2.21-beta.1.
What to do
- Update openclaw to version 2026.2.21.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.21 | 2026.2.21 |
Original title
Duplicate Advisory: OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)
Original description
### Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-82g8-464f-2mv7. This link is maintained to preserve external references.
### Original Description
A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component.
This advisory has been withdrawn because it is a duplicate of GHSA-82g8-464f-2mv7. This link is maintained to preserve external references.
### Original Description
A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component.
ghsa CVSS3.1
6.3
ghsa CVSS4.0
5.3
Vulnerability type
CWE-74
Injection
- https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7
- https://nvd.nist.gov/vuln/detail/CVE-2026-4039
- https://github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9...
- https://github.com/openclaw/openclaw
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.21-beta.1
- https://vuldb.com/?ctiid.350651
- https://vuldb.com/?id.350651
- https://vuldb.com/?submit.769580
- https://github.com/advisories/GHSA-wgx8-r9vw-2w4h
Published: 12 Mar 2026 · Updated: 13 Mar 2026 · First seen: 12 Mar 2026