CVE-2026-23912 — MCP protocol — tool description spoofing across implementations · PocketClaw

Summary

A flaw in the way several MCP server implementations handled tool description updates allowed a malicious MCP server to silently rename a tool after handshake. Agents that cached the original tool name could be tricked into invoking a different tool. Affected the MCP server libraries used by both OpenClaw and Hermes Agent.

Details

CVE ID	CVE-2026-23912
Severity	high (8.1)
CVSS vector	AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Published	2026-04-03
Patched	2026-04-08
Affected versions	Multiple
Fixed in	OpenClaw 2026.4.5, Hermes 2026.4.3, mcp-server-go 0.7.4
Exploited in the wild	no known exploitation

Affected AI agents

OpenClaw →Hermes Agent →

What to do

If you run an affected version: upgrade to OpenClaw 2026.4.5, Hermes 2026.4.3, mcp-server-go 0.7.4 immediately. Do not delay this for convenience reasons.
Rotate any credentials that may have been exposed via the affected component.
Audit your logs for indicators of exploitation — unexpected outbound traffic, anomalous tool calls, unfamiliar authenticated sessions.
If exploitation is confirmed, treat the host as compromised: rebuild from a clean image, rotate every secret on the host, audit lateral movement.

Sources

NIST NVD: CVE-2026-23912 on NVD

Are you affected?

Type the version you have installed. We check it against Multiple.

This is a best-effort check. When in doubt, upgrade to OpenClaw 2026.4.5, Hermes 2026.4.3, mcp-server-go 0.7.4.