Description
OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawned MCP server processes, enabling code injection when operators start sessions using those servers.
Published: 2026-05-11
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw prior to 2026.4.20 contains a weakness in the MCP stdio server configuration that fails to validate environment variables correctly. An attacker who can influence workspace configurations can inject variables such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV into the server startup process. When an operator initiates a session using the affected MCP server, those variables are applied and can cause the MCP server to execute malicious code, giving the attacker code execution with the privileges of the MCP server process. The flaw maps to CWE‑829 and allows the attacker to run arbitrary code on the host where the MCP server runs.

Affected Systems

The vulnerability affects OpenClaw software, versions earlier than 2026.4.20. The affected product is the OpenClaw application running on a Node.js runtime. Any installation that includes the MCP stdio server component and allows workspace configuration of environment variables is susceptible.

Risk and Exploitability

The CVSS score of 5.4 classifies the flaw as medium severity. EPSS is not provided and the vulnerability is not listed in CISA KEV, indicating no publicly documented exploits at the time of analysis. The attack can be carried out by maliciously modifying workspace configuration files or environment settings that the MCP server processes, which requires either ownership of the configuration space or the ability to tamper with the environment in which the server starts. Consequently, internal actors or compromised configuration files pose the highest risk, while remote exploitation would need initial access to influence startup variables.

Generated by OpenCVE AI on May 11, 2026 at 18:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑supplied patch by upgrading to OpenClaw 2026.4.20 or later.
  • If patching cannot be performed immediately, configure the MCP stdio server to reject or sanitize potentially dangerous environment variables such as NODE_OPTIONS, LD_PRELOAD, and BASH_ENV in workspace configurations or remove the ability to pass them to the server process.
  • Restrict permissions on workspace configuration files and enforce least‑privilege principles for users that can modify startup settings, ensuring only trusted accounts can alter environment variables used by the MCP server.

Generated by OpenCVE AI on May 11, 2026 at 18:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawned MCP server processes, enabling code injection when operators start sessions using those servers.
Title OpenClaw < 2026.4.20 - Arbitrary Code Execution via MCP stdio Environment Variables
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-829
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 5.4, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T17:57:02.478Z

Reserved: 2026-05-08T16:41:39.934Z

Link: CVE-2026-44995

cve-icon Vulnrichment

Updated: 2026-05-11T17:56:49.317Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T18:16:39.387

Modified: 2026-05-12T14:19:41.400

Link: CVE-2026-44995

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T00:15:05Z

Weaknesses