GHSA-mj59-h3q9-ghfhMedium
OpenClaw: MCP stdio server env could load dangerous startup variables from workspace config
🔗 CVE IDs covered (1)
📋 Description
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
< 2026.4.20 - Patched version:
2026.4.20
Impact
Workspace MCP stdio configuration could pass dangerous process-startup environment variables such as NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to the spawned MCP server process. In a malicious workspace, this could make the MCP child load attacker-controlled code when the operator starts a session that uses that MCP server.
The impact is limited to local/workspace trust boundaries and requires the operator to run OpenClaw in a workspace containing the malicious MCP configuration. Severity is therefore medium, not high/critical.
Fix
OpenClaw now filters MCP stdio environment entries through the host environment safety denylist before spawning stdio MCP servers.
Fix commits:
62fa5071896e95edc7f67d1cebc70a2859e283af85d86ebc4bf3d2226d39d132a484f4f7a299fa1b
Release
Fixed in OpenClaw 2026.4.20.
🎯 Affected products1
- npm/openclaw:< 2026.4.20
🔗 References (6)
- https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh
- https://github.com/openclaw/openclaw/commit/62fa5071896e95edc7f67d1cebc70a2859e283af
- https://github.com/openclaw/openclaw/commit/85d86ebc4bf3d2226d39d132a484f4f7a299fa1b
- https://nvd.nist.gov/vuln/detail/CVE-2026-44995
- https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-mcp-stdio-environment-variables
- https://github.com/advisories/GHSA-mj59-h3q9-ghfh