{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mcp-stdio-server/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-44995"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenClaw","MCP stdio server"],"_cs_severities":["high"],"_cs_tags":["cve","code-execution","environment-variable-injection"],"_cs_type":"advisory","_cs_vendors":["OpenClaw"],"content_html":"\u003cp\u003eOpenClaw before version 2026.4.20 is vulnerable to an improper environment variable validation in its MCP stdio server configuration. This vulnerability, tracked as CVE-2026-44995, allows attackers to execute arbitrary code on systems running affected versions of OpenClaw. The attack involves crafting malicious workspace configurations that inject dangerous startup variables, such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV, into spawned MCP server processes. This injection leads to arbitrary code execution when operators initiate sessions using those compromised servers. This poses a significant risk to organizations utilizing OpenClaw, as it can lead to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious OpenClaw workspace configuration.\u003c/li\u003e\n\u003cli\u003eThe malicious configuration includes specially crafted environment variables such as \u003ccode\u003eNODE_OPTIONS\u003c/code\u003e, \u003ccode\u003eLD_PRELOAD\u003c/code\u003e, or \u003ccode\u003eBASH_ENV\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eAn operator unwittingly loads the malicious workspace configuration in OpenClaw.\u003c/li\u003e\n\u003cli\u003eOpenClaw spawns an MCP stdio server process, inheriting the attacker-controlled environment variables.\u003c/li\u003e\n\u003cli\u003eThe injected environment variables cause the spawned MCP server process to load attacker-supplied code.\u003c/li\u003e\n\u003cli\u003eArbitrary code is executed within the context of the MCP server process.\u003c/li\u003e\n\u003cli\u003eThe attacker gains control over the affected system.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-44995 can lead to arbitrary code execution on the OpenClaw server. An attacker can use this to gain complete control of the system, potentially leading to data theft, system compromise, or denial of service. This vulnerability impacts any organization using OpenClaw versions prior to 2026.4.20.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenClaw to version 2026.4.20 or later to patch CVE-2026-44995.\u003c/li\u003e\n\u003cli\u003eImplement the Sigma rule \u003ccode\u003eDetect Suspicious OpenClaw Environment Variables\u003c/code\u003e to identify potentially malicious workspace configurations.\u003c/li\u003e\n\u003cli\u003eMonitor process creation events for the use of \u003ccode\u003eNODE_OPTIONS\u003c/code\u003e, \u003ccode\u003eLD_PRELOAD\u003c/code\u003e, or \u003ccode\u003eBASH_ENV\u003c/code\u003e environment variables in OpenClaw MCP stdio server processes.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-11T18:18:26Z","date_published":"2026-05-11T18:18:26Z","id":"https://feed.craftedsignal.io/briefs/2026-05-openclaw-env-var-injection/","summary":"OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability (CVE-2026-44995) in MCP stdio server configuration, allowing attackers to execute arbitrary code via malicious workspace configurations that pass dangerous startup variables.","title":"OpenClaw MCP Stdio Server Environment Variable Injection Vulnerability (CVE-2026-44995)","url":"https://feed.craftedsignal.io/briefs/2026-05-openclaw-env-var-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — MCP Stdio Server","version":"https://jsonfeed.org/version/1.1"}