CVE-2026-4039

Name of the Vulnerable Software and Affected Versions OpenClaw versions 2026.2.19-2

Description A flaw exists in the applySkillConfigenvOverrides function within the Skill Env Handler component. This issue allows for code injection when a manipulation is executed remotely. The issue arises because the function copies skills.entries.*.env values into the host process.env without applying host environment safety policies, potentially allowing injection of dangerous process-level variables like NODE OPTIONS. An attacker must be able to modify OpenClaw local state or configuration to set skills.entries.<skill>.env or related skill config values.

Recommendations Upgrade to OpenClaw version 2026.2.21-beta.1 to resolve this issue.