CVE-2026-44995 | OpenClaw up to 2026.4.19 MCP STDIO Server Configuration NODE_OPTIONS/LD_PRELOAD/BASH_ENV inclusion of functionality from untrusted control sphere (GHSA-mj59-h3q9-ghfh)
A vulnerability identified as problematic has been detected in OpenClaw up to 2026.4.19. Affected by this issue is some unknown functionality of the component MCP STDIO Server Configuration Handler. The manipulation of the argument NODE_OPTIONS/LD_PRELOAD/BASH_ENV leads to inclusion of functionality from untrusted control sphere.
This vulnerability is listed as CVE-2026-44995. The attack must be carried out locally. There is no available exploit.
You should upgrade the affected component.