Summary
A flaw in the way several MCP server implementations handled tool description updates allowed a malicious MCP server to silently rename a tool after handshake. Agents that cached the original tool name could be tricked into invoking a different tool. Affected the MCP server libraries used by both OpenClaw and Hermes Agent.
Details
| CVE ID | CVE-2026-23912 |
| Severity | high (8.1) |
| CVSS vector | AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |
| Published | 2026-04-03 |
| Patched | 2026-04-08 |
| Affected versions | Multiple |
| Fixed in | OpenClaw 2026.4.5, Hermes 2026.4.3, mcp-server-go 0.7.4 |
| Exploited in the wild | no known exploitation |
Affected projects
What to do
- If you run an affected version: upgrade to
OpenClaw 2026.4.5, Hermes 2026.4.3, mcp-server-go 0.7.4immediately. Do not delay this for convenience reasons. - Rotate any credentials that may have been exposed via the affected component.
- Audit your logs for indicators of exploitation — unexpected outbound traffic, anomalous tool calls, unfamiliar authenticated sessions.
- If exploitation is confirmed, treat the host as compromised: rebuild from a clean image, rotate every secret on the host, audit lateral movement.
Sources
- NIST NVD: CVE-2026-23912 on NVD
See also: all CVEs, tracked agents, methodology.