CVE-2026-4039

A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component.

CVSS v3 6.3 MEDIUM
CVSS v2.0 6.5 MEDIUM

6.3^/10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 2.8 / Impact : 3.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact LOW

Scope UNCHANGED

6.5^/10

CVSS v2.0 : MEDIUM

V2 Legend

Vector : AV:N/AC:L/Au:S/C:P/I:P/A:P

Exploitability : 8.0 / Impact : 6.4

Access Vector NETWORK

Access Complexity LOW

Authentication SINGLE

Confidentiality Impact PARTIAL

Integrity Impact PARTIAL

Availability Impact PARTIAL

References

Link	Resource
https://github.com/openclaw/openclaw/	Product
https://github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9a83c	Patch
https://github.com/openclaw/openclaw/releases/tag/v2026.2.21-beta.1	Release Notes
https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7	Mitigation Vendor Advisory
https://vuldb.com/?ctiid.350651	Permissions Required VDB Entry
https://vuldb.com/?id.350651	Third Party Advisory VDB Entry
https://vuldb.com/?submit.769580	Third Party Advisory VDB Entry

Configurations

Configuration 1 (hide)

cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*

History

16 Mar 2026, 18:02

Type	Values Removed	Values Added
References	~~() https://github.com/openclaw/openclaw/ -~~	() https://github.com/openclaw/openclaw/ - Product
References	~~() https://github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9a83c -~~	() https://github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9a83c - Patch
References	~~() https://github.com/openclaw/openclaw/releases/tag/v2026.2.21-beta.1 -~~	() https://github.com/openclaw/openclaw/releases/tag/v2026.2.21-beta.1 - Release Notes
References	~~() https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7 -~~	() https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7 - Mitigation, Vendor Advisory
References	~~() https://vuldb.com/?ctiid.350651 -~~	() https://vuldb.com/?ctiid.350651 - Permissions Required, VDB Entry
References	~~() https://vuldb.com/?id.350651 -~~	() https://vuldb.com/?id.350651 - Third Party Advisory, VDB Entry
References	~~() https://vuldb.com/?submit.769580 -~~	() https://vuldb.com/?submit.769580 - Third Party Advisory, VDB Entry
Summary		(es) Se determinó una vulnerabilidad en OpenClaw 2026.2.19-2. Esta vulnerabilidad afecta la función applySkillConfigenvOverrides del componente Gestor de Entorno de Habilidades. Ejecutar una manipulación puede conducir a la inyección de código. Es posible lanzar el ataque remotamente. Actualizar a la versión 2026.2.21-beta.1 puede resolver este problema. Este parche se llama 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. Se recomienda actualizar el componente afectado.
First Time		Openclaw openclaw Openclaw
CPE		cpe:2.3:a:openclaw:openclaw::::::node.js::*

12 Mar 2026, 12:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-12 12:15

Updated : 2026-03-16 18:02

NVD link : CVE-2026-4039

Mitre link : CVE-2026-4039

CVE.ORG link : CVE-2026-4039

JSON object : View

Products Affected

openclaw

openclaw

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

CWE-94

Improper Control of Generation of Code ('Code Injection')

6.3 /10