OpenClaw — CVE-2026-44995 MCP Stdio Server Environment Variable RCE
AI relevance: OpenClaw is a widely deployed AI agent framework — improper validation of environment variables passed to MCP stdio child processes gives an attacker a direct path from agent configuration to host-level code execution.
- CVE-2026-44995 affects OpenClaw versions before 2026.4.20 in the MCP stdio server launch pipeline.
- The framework fails to validate or sanitize environment variables forwarded to MCP child processes, allowing an attacker to inject arbitrary variables into the subprocess environment.
- By controlling the environment of an MCP stdio server, an attacker can set
PATH,LD_PRELOAD,PYTHONPATH, or similar variables to achieve arbitrary code execution when the child process starts. - The vulnerability is exploitable by any entity that can influence MCP server configuration — including a malicious skill definition, a poisoned MCP registry entry, or a compromised tool integration.
- This is a structural class of vulnerability: the MCP stdio transport model inherently trusts the host to launch child processes with a clean environment, but OpenClaw did not enforce that invariant.
- Fixed in OpenClaw 2026.4.20. The patch adds environment variable validation and filtering before spawning MCP stdio subprocesses.
Why it matters
Combined with the broader wave of MCP supply-chain issues (CVE-2026-44995 follows the May OX Security disclosure of systemic MCP STDIO design flaws affecting ~200K servers), this shows that environment-level injection remains a blind spot in agent tooling. An attacker who compromises a skill marketplace or MCP registry can pivot from a single poisoned entry to full host compromise without needing a traditional software vulnerability.
What to do
- Upgrade to OpenClaw 2026.4.20 or later immediately.
- Audit your MCP server configurations for any externally-influenced environment variables.
- Review installed skills and MCP servers from third-party registries — treat them as untrusted code.
- Consider running MCP stdio servers in sandboxed containers with restricted environment and filesystem access.