Duplicate Advisory: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

GHSA-4mhr-cxr4-2prm

Published May 11, 2026 · Modified May 18, 2026

Description

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-h2vw-ph2c-jvwf. This link is maintained to preserve external references.

Original Description

OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.

References

WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-h2vw-ph2c-jvwf
ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-44992
WEB https://github.com/openclaw/openclaw/commit/2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1
PACKAGE https://github.com/openclaw/openclaw
WEB https://www.vulncheck.com/advisories/openclaw-minimax-api-host-override-via-workspace-dotenv

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes