VulnWatch VulnWatch
← Back to dashboard
Medium nvd · CVE-2026-44995

CVE-2026-44995: OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configu

Published May 11, 2026 CVSS 5.4

OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawned MCP server processes, enabling code injection when operators start sessions using those servers.

Remote Code Execution Agentic / MCP

Affected AI Products

mcp server
View original source
Get the weekly digest. Every Monday: top AI security stories of the week. Free.