GHSA-wgx8-r9vw-2w4h: Duplicate Advisory: OpenClaw: Skill env override host env injection via applySkillConfigEnvOverrides (defense-in-depth)
Duplicate Advisory
This advisory has been withdrawn because it is a duplicate of GHSA-82g8-464f-2mv7. This link is maintained to preserve external references.
Original Description
A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component.
References
- github.com/advisories/GHSA-wgx8-r9vw-2w4h
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/8c9f35cdb51692b650ddf05b259ccdd75cc9a83c
- github.com/openclaw/openclaw/releases/tag/v2026.2.21-beta.1
- github.com/openclaw/openclaw/security/advisories/GHSA-82g8-464f-2mv7
- nvd.nist.gov/vuln/detail/CVE-2026-4039
- vuldb.com/?ctiid.350651
- vuldb.com/?id.350651
- vuldb.com/?submit.769580
Code Behaviors & Features
Detect and mitigate GHSA-wgx8-r9vw-2w4h with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →