Main Vulnerability Database Vulnerabilities #VU126831

External Initialization of Trusted Variables or Data Stores in OpenClaw - #VU126831

Published: April 22, 2026

Vulnerability identifier: #VU126831

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: N/A

CWE-ID: CWE-454

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a local user to execute arbitrary code.

The vulnerability exists due to external initialization of trusted variables or data stores in the MCP stdio server environment handling when spawning an MCP server process from workspace configuration. A local user can supply a malicious workspace MCP configuration with dangerous startup environment variables to execute arbitrary code.

User interaction is required because the operator must start a session that uses the configured MCP server.

Remediation

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-mj59-h3q9-ghfh

External Initialization of Trusted Variables or Data Stores in OpenClaw - #VU126831

Detailed vulnerability description

Remediation

Sources

Please verify you're human