{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "fixed": "2026.2.21" } ] }, "events": [ { "introduced": "0" }, { "fixed": "5e34eb98fb023900f455b7e94c681383da8256f2" }, { "fixed": "8c9f35cdb51692b650ddf05b259ccdd75cc9a83c" }, { "fixed": "d9844c6afa2d6c6c8a7a4fb3b004b5c0456d184e" } ], "repo": "https://github.com/openclaw/openclaw", "type": "GIT" } ] } ], "aliases": [ "GHSA-82g8-464f-2mv7" ], "details": "A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component.", "id": "CVE-2026-4039", "modified": "2026-04-01T23:10:28.828895211Z", "published": "2026-03-12T12:15:59.740Z", "references": [ { "type": "WEB", "url": "https://github.com/openclaw/openclaw/" }, { "type": "ADVISORY", "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.21-beta.1" }, { "type": "ADVISORY", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7" }, { "type": "ADVISORY", "url": "https://vuldb.com/?id.350651" }, { "type": "ADVISORY", "url": "https://vuldb.com/?submit.769580" }, { "type": "REPORT", "url": "https://vuldb.com/?ctiid.350651" }, { "type": "FIX", "url": "https://github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9a83c" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "type": "CVSS_V3" } ] }