Skip to content
Threat Feed
high advisory

OpenClaw MCP Stdio Server Environment Variable Injection Vulnerability (CVE-2026-44995)

OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability (CVE-2026-44995) in MCP stdio server configuration, allowing attackers to execute arbitrary code via malicious workspace configurations that pass dangerous startup variables.

OpenClaw before version 2026.4.20 is vulnerable to an improper environment variable validation in its MCP stdio server configuration. This vulnerability, tracked as CVE-2026-44995, allows attackers to execute arbitrary code on systems running affected versions of OpenClaw. The attack involves crafting malicious workspace configurations that inject dangerous startup variables, such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV, into spawned MCP server processes. This injection leads to arbitrary code execution when operators initiate sessions using those compromised servers. This poses a significant risk to organizations utilizing OpenClaw, as it can lead to complete system compromise.

Attack Chain

  1. Attacker crafts a malicious OpenClaw workspace configuration.
  2. The malicious configuration includes specially crafted environment variables such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV.
  3. An operator unwittingly loads the malicious workspace configuration in OpenClaw.
  4. OpenClaw spawns an MCP stdio server process, inheriting the attacker-controlled environment variables.
  5. The injected environment variables cause the spawned MCP server process to load attacker-supplied code.
  6. Arbitrary code is executed within the context of the MCP server process.
  7. The attacker gains control over the affected system.

Impact

Successful exploitation of CVE-2026-44995 can lead to arbitrary code execution on the OpenClaw server. An attacker can use this to gain complete control of the system, potentially leading to data theft, system compromise, or denial of service. This vulnerability impacts any organization using OpenClaw versions prior to 2026.4.20.

Recommendation

  • Upgrade OpenClaw to version 2026.4.20 or later to patch CVE-2026-44995.
  • Implement the Sigma rule Detect Suspicious OpenClaw Environment Variables to identify potentially malicious workspace configurations.
  • Monitor process creation events for the use of NODE_OPTIONS, LD_PRELOAD, or BASH_ENV environment variables in OpenClaw MCP stdio server processes.

Detection coverage 2

Detect Suspicious OpenClaw Environment Variables

high

Detects CVE-2026-44995 exploitation — detects process creations with suspicious environment variables indicative of code injection in OpenClaw

sigma tactics: execution techniques: T1059.004 sources: process_creation, windows

Detect Suspicious Linux Environment Variables

high

Detects CVE-2026-44995 exploitation — detects process creations with suspicious environment variables indicative of code injection in OpenClaw on Linux

sigma tactics: execution techniques: T1059.004 sources: process_creation, linux

Detection queries are available on the platform. Get full rules →