CVE-2026-44995

OpenClaw < 2026.4.20 - Arbitrary Code Execution via MCP stdio Environment Variables

CVSS 5.4 MEDIUMEPSS 0.1%CWE-829

Vexday Risk Score

13Bajo

Decisión SSVC (CISA)

Track

Sin señal de explotación → monitorear

CVSS 5.4EPSS 0.1%KEV nãoPoC —Nuclei —Metasploit —Patch referenciado

Ciclo de vida

11 may 2026Publicada en NVD

Recomendación: Monitorear — sin señal de explotación por ahora.

OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawned MCP server processes, enabling code injection when operators start sessions using those servers.

CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Productos afectados

OpenClaw · OpenClaw

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →

Referencias

https://github.com/openclaw/openclaw/commit/62fa5071896e95edc7f67d1cebc70a2859e283af https://github.com/openclaw/openclaw/commit/85d86ebc4bf3d2226d39d132a484f4f7a299fa1b https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-mcp-stdio-environment-variables