CVE-2026-44995 Overview
CVE-2026-44995 is an arbitrary code execution vulnerability in OpenClaw versions prior to 2026.4.20. The flaw stems from improper validation of environment variables in the Model Context Protocol (MCP) stdio server configuration. Malicious workspace configurations can pass dangerous startup variables such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawned MCP server processes. When an operator starts a session using a tainted server entry, the injected environment triggers code execution in the spawned process. The weakness is categorized under CWE-829: Inclusion of Functionality from Untrusted Control Sphere.
Critical Impact
Attackers who control workspace MCP configurations can execute arbitrary code on the operator's host when an MCP stdio server session starts.
Affected Products
- OpenClaw versions before 2026.4.20
- OpenClaw distributions running on Node.js
- Workspaces that load untrusted MCP stdio server entries
Discovery Timeline
- 2026-05-11 - CVE-2026-44995 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44995
Vulnerability Analysis
OpenClaw spawns MCP stdio servers as child processes using configuration supplied by the active workspace. Before the fix, the helper toMcpStringRecord in src/agents/mcp-config-shared.ts accepted any string-valued keys from the workspace's env map and forwarded them to the child process unchanged. This allowed dangerous host environment variables that influence loader and runtime behavior, including NODE_OPTIONS, LD_PRELOAD, LD_LIBRARY_PATH, and BASH_ENV, to be passed straight into the spawned MCP process. Local code execution occurs when the operator starts a session backed by the malicious configuration.
Root Cause
The MCP configuration loader did not distinguish between user-defined application variables and reserved variables that the operating system or language runtime interprets at process start. Because the entire workspace env block was treated as opaque string data, a workspace author could smuggle interpreter hooks into the child environment, breaking the trust boundary between workspace data and host execution.
Attack Vector
Exploitation requires local access and user interaction: a victim must open a workspace that contains a crafted MCP stdio server entry and start a session that launches the server. No elevated privileges are needed beyond those of the user running OpenClaw.
// Patch excerpt from src/agents/mcp-config-shared.ts
+import {
+ isDangerousHostEnvOverrideVarName,
+ isDangerousHostEnvVarName,
+} from "../infra/host-env-security.js";
+
export function isMcpConfigRecord(value: unknown): value is Record<string, unknown> {
return value !== null && typeof value === "object" && !Array.isArray(value);
}
-export function toMcpStringRecord(
+function toMcpFilteredStringRecord(
value: unknown,
- options?: { onDroppedEntry?: (key: string, value: unknown) => void },
+ options?: {
+ onDroppedEntry?: (key: string, value: unknown) => void;
+ shouldDropKey?: (key: string) => boolean;
+ },
): Record<string, string> | undefined {
if (!isMcpConfigRecord(value)) {
return undefined;
}
const entries = Object.entries(value)
.map(([key, entry]) => {
+ if (options?.shouldDropKey?.(key)) {
+ options?.onDroppedEntry?.(key, entry);
+ return null;
+ }
if (typeof entry === "string") {
return [key, entry] as const;
}
Source: OpenClaw commit 62fa5071. The patch introduces isDangerousHostEnvOverrideVarName and isDangerousHostEnvVarName checks and renames the helper to toMcpFilteredStringRecord so callers must opt into a key-filtering policy before child processes inherit workspace-provided variables.
Detection Methods for CVE-2026-44995
Indicators of Compromise
- Workspace MCP configuration files containing env entries for NODE_OPTIONS, LD_PRELOAD, LD_LIBRARY_PATH, DYLD_INSERT_LIBRARIES, or BASH_ENV.
- Child processes of OpenClaw launching with unexpected --require or --import Node.js flags from inherited NODE_OPTIONS.
- Unfamiliar shared libraries loaded by Node.js or shell processes spawned from OpenClaw sessions.
Detection Strategies
- Audit workspace repositories and MCP server definitions for environment keys that match known dangerous loader variables.
- Compare the OpenClaw version reported in telemetry against 2026.4.20 to identify hosts still exposed to the vulnerability.
- Hunt for process-creation events where the parent is an OpenClaw or MCP stdio binary and the child inherits non-empty NODE_OPTIONS or LD_PRELOAD values.
Monitoring Recommendations
- Forward endpoint process-creation and environment-variable telemetry to a centralized analytics pipeline for retrospective hunting.
- Alert on writes to workspace configuration paths that introduce new MCP env keys outside an approved allowlist.
- Track outbound connections initiated by MCP stdio child processes, which can reveal post-exploitation activity from injected loaders.
How to Mitigate CVE-2026-44995
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.20 or later, which ships the dangerous-variable filter.
- Review every workspace's MCP stdio server entries and remove unrecognized env keys before reopening the workspace.
- Restrict workspace sharing to trusted sources until upgraded clients are deployed across the team.
Patch Information
The fix is delivered in OpenClaw commits 62fa5071 and 85d86ebc, and is documented in the OpenClaw GHSA-mj59-h3q9-ghfh advisory and the VulnCheck advisory. The patch blocks dangerous host environment variable names from being forwarded to MCP stdio child processes.
Workarounds
- Do not open untrusted workspaces or MCP server bundles with vulnerable OpenClaw builds.
- Strip env blocks from MCP stdio configurations and rely on host-managed environments until the upgrade is applied.
- Run OpenClaw under a least-privilege user account and within an isolated sandbox to limit the impact of a successful injection.
# Verify the installed OpenClaw version is patched
npm ls openclaw | grep openclaw
# Expected: openclaw@2026.4.20 or newer
# Audit workspace MCP configs for dangerous env keys
grep -REn 'NODE_OPTIONS|LD_PRELOAD|LD_LIBRARY_PATH|DYLD_INSERT_LIBRARIES|BASH_ENV' \
.openclaw/ workspaces/
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
