Product
OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability (CVE-2026-44995) in MCP stdio server configuration, allowing attackers to execute arbitrary code via malicious workspace configurations that pass dangerous startup variables.