CVE-2026-44995
Improper Environment Variable Validation in OpenClaw MCP Server
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.4.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-829 | The product imports, requires, or includes executable functionality (such as a library) from a source that is outside of the intended control sphere. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-44995 is a vulnerability in OpenClaw versions before 2026.4.20 where improper validation of environment variables in the MCP stdio server configuration allows attackers to execute arbitrary code.
Malicious workspace configurations can pass dangerous startup variables such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to MCP server processes. When operators start sessions using those servers, the injected code executes, leading to potential compromise.
How can this vulnerability impact me? :
This vulnerability can lead to arbitrary code execution on the system running OpenClaw if an attacker can supply a malicious workspace configuration.
The impact is limited to local or workspace trust boundaries, meaning an attacker needs to have control over the workspace or environment where OpenClaw is running.
Successful exploitation could result in full compromise of confidentiality, integrity, and availability of the affected system, as indicated by the high CVSS impact scores.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves malicious workspace configurations passing dangerous environment variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to MCP stdio server processes. Detection involves checking for the presence of these environment variables in the MCP stdio server configuration or workspace startup scripts.
You can inspect running MCP server processes or their startup environment for suspicious environment variables. For example, on a Unix-like system, you might use commands such as:
- ps aux | grep mcp # to find MCP server processes
- cat /proc/<pid>/environ | tr '\0' '\n' | grep -E 'NODE_OPTIONS|LD_PRELOAD|BASH_ENV' # to check environment variables of MCP server processes
- grep -rE 'NODE_OPTIONS|LD_PRELOAD|BASH_ENV' <workspace-config-directory> # to search workspace configuration files for dangerous environment variables
These commands help identify if dangerous environment variables are set or passed to MCP stdio servers, which could indicate exploitation or vulnerability presence.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, immediately upgrade OpenClaw to version 2026.4.20 or later, where the issue has been fixed by filtering out dangerous environment variables from MCP stdio server configurations.
If upgrading is not immediately possible, manually ensure that workspace configurations do not include environment variables such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV that can be passed to MCP stdio servers.
Additionally, restrict operator access to trusted workspaces only, as exploitation requires running OpenClaw in a compromised or malicious workspace.
Review and apply the security patch or code changes that sanitize environment variables before spawning MCP stdio servers, as described in the security fix commit.