CVE-2026-44995

HighPublic PoC

Published: 11 May 2026

Published

11 May 2026

Modified

12 May 2026

KEV Added

—

Patch

—

CVSS Score 7.3 CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H

EPSS Score 0.0001 1.8th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-44995 is a high-severity Inclusion of Functionality from Untrusted Control Sphere (CWE-829) vulnerability. Its CVSS base score is 7.3 (High).

Operationally, ranked at the 1.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

This vulnerability is AI-related — categorised as AI Agent Protocols and Integrations; in the Protocol-Specific Risks risk domain.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

CM-10 Software Usage Restrictions

addresses: CWE-829

Limiting P2P file sharing technology reduces inclusion of functionality or resources from untrusted external control spheres.

CM-11 User-installed Software

addresses: CWE-829

Enforcing installation policies prevents users from including functionality obtained from untrusted control spheres.

CM-8 System Component Inventory

addresses: CWE-829

The inventory process requires identifying and recording the origin of all components, making inclusion of functionality from untrusted control spheres easier to detect during reviews.

MA-3 Maintenance Tools

addresses: CWE-829

Requiring approval and monitoring of maintenance tools prevents inclusion and execution of functionality obtained from untrusted sources.

MP-7 Media Use

addresses: CWE-829

Unowned portable devices represent untrusted control spheres; the prohibition prevents inclusion of functionality or data from such sources.

PM-30 Supply Chain Risk Management Strategy

addresses: CWE-829

Strategy mandates assessment of third-party components and suppliers, directly reducing inclusion of functionality from untrusted control spheres.

SA-1 Policy and Procedures

addresses: CWE-829

Procedures can mandate supply-chain vetting and restrictions on functionality obtained from untrusted third-party or external control spheres.

SA-12 Supply Chain Protection

addresses: CWE-829

Requires use of trusted sources and provenance tracking, tangibly limiting inclusion of functionality from untrusted control spheres.

NVD Description

OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup variables like NODE_OPTIONS, LD_PRELOAD, or BASH_ENV to spawned MCP server processes,…

enabling code injection when operators start sessions using those servers.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-829

AI Security AnalysisAI

AI Category: AI Agent Protocols and Integrations
Risk Domain: Protocol-Specific Risks
OWASP Top 10 for LLMs 2025: None mapped
Classification Reason: Matched keywords: mcp, mcp

References

https://github.com/openclaw/openclaw/commit/62fa5071896e95edc7f67d1cebc70a2859e283af
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/commit/85d86ebc4bf3d2226d39d132a484f4f7a299fa1b
disclosure@vulncheck.com
https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh
disclosure@vulncheck.com
https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-mcp-stdio-environment-variables
disclosure@vulncheck.com