CVE-2026-4039
Published: 12 March 2026
Summary
CVE-2026-4039 is a medium-severity Injection (CWE-74) vulnerability in Openclaw Openclaw. Its CVSS base score is 6.3 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation of Remote Services (T1210); ranked at the 29.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires timely remediation of the code injection flaw by applying the vendor-recommended patch to OpenClaw version 2026.2.21-beta.1.
Mandates validation of inputs to the applySkillConfigenvOverrides function to neutralize special elements and prevent code injection as described in CWE-74 and CWE-94.
Provides integrity verification of software and information to detect unauthorized code modifications resulting from successful injection exploits.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The vulnerability enables remote code injection over the network in a service component (Skill Env Handler) requiring low privileges, directly facilitating T1210: Exploitation of Remote Services.
NVD Description
A vulnerability was determined in OpenClaw 2026.2.19-2. This vulnerability affects the function applySkillConfigenvOverrides of the component Skill Env Handler. Executing a manipulation can lead to code injection. It is possible to launch the attack remotely. Upgrading to version 2026.2.21-beta.1 is…
more
able to resolve this issue. This patch is called 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. It is recommended to upgrade the affected component.
Deeper analysisAI
CVE-2026-4039 is a code injection vulnerability affecting OpenClaw version 2026.2.19-2, specifically in the applySkillConfigenvOverrides function of the Skill Env Handler component. The issue, linked to CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-94 (Improper Control of Generation of Code), was published on 2026-03-12 and carries a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L).
An attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Manipulation of the affected function enables code injection, resulting in limited impacts to confidentiality, integrity, and availability.
Advisories recommend upgrading the affected component to OpenClaw version 2026.2.21-beta.1, which resolves the issue via patch commit 8c9f35cdb51692b650ddf05b259ccdd75cc9a83c. Details are available in the GitHub security advisory GHSA-82g8-464f-2mv7, the project repository, release notes, and VulDB entry ctiid.350651.
Details
- CWE(s)