What is CVE-2026-44995?

CVE-2026-44995 is a high-severity vulnerability in Openclaw, classified under Inclusion of Functionality from Untrusted Control Sphere. CVSS score: 7.3/10. Published 2026-05-11.

How severe is CVE-2026-44995?

High severity. CVSS v3 base score is 7.3 out of 10.

Vulnerability in Openclaw

CVE-2026-44995

OpenClaw before 2026.4.20 contains an improper environment variable validation vulnerability in MCP stdio server configuration that allows attackers to execute arbitrary code. Malicious workspace configurations can pass dangerous startup v…

EPSS: 0.000 (1.9th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 7.3 (High). Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H.

Affected products

Openclaw — versions 0, 2026.4.20

Weakness classification (CWE)

CWE-829 — Inclusion of Functionality from Untrusted Control Sphere

References

disclosure@vulncheck.com (vendor-advisory, Third Party Advisory)
disclosure@vulncheck.com (Patch, patch)
disclosure@vulncheck.com (patch, Broken Link)
disclosure@vulncheck.com (Patch, Third Party Advisory, third-party-advisory)

Frequently asked questions

What is CVE-2026-44995?: CVE-2026-44995 is a high-severity vulnerability in Openclaw, classified under Inclusion of Functionality from Untrusted Control Sphere. CVSS score: 7.3/10. Published 2026-05-11.
How severe is CVE-2026-44995?: High severity. CVSS v3 base score is 7.3 out of 10.