CVE-2026-44995

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.20

Description Improper environment variable validation in the MCP stdio server configuration allows for arbitrary code execution. Malicious workspace configurations can pass dangerous startup variables, such as NODE OPTIONS, LD PRELOAD, or BASH ENV, to spawned MCP server processes, enabling code injection when operators start sessions using those servers.

Recommendations Update to version 2026.4.20.