Description
OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.
Published: 2026-05-11
Score: 4.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenClaw versions before 2026.4.20 suffer from an environment variable injection flaw that allows the workspace dotenv file to override the MINIMAX_API_HOST setting. By manipulating this variable, an attacker can redirect authenticated MiniMax API calls to a malicious endpoint, causing the MiniMax API key to be sent in the Authorization header and thereby exposing the key to the adversary.

Affected Systems

OpenClaw from the OpenClaw vendor is affected; all releases prior to version 2026.4.20 that run in a Node.js environment are susceptible. Users should verify the exact build they are using against this version threshold.

Risk and Exploitability

The CVSS score of 4.1 indicates moderate severity, and no exploit probability data is available while the vulnerability is not listed in the CISA KEV catalog. Exploitation requires the attacker to alter the workspace dotenv file, which is usually possible with local or workspace‑level file access. Once the variable is overridden, the attacker can redirect requests and capture the MiniMax API key, but the flaw does not permit full system compromise or arbitrary code execution.

Generated by OpenCVE AI on May 11, 2026 at 19:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade OpenClaw to version 2026.4.20 or later, which removes the MINIMAX_API_HOST injection flaw.
  • Configure permissions so that only trusted administrators can modify the workspace dotenv file, limiting the ability to inject environment variables.
  • Disable or hard‑code the MINIMAX_API_HOST value in the application configuration to prevent overrides from the dotenv file.

Generated by OpenCVE AI on May 11, 2026 at 19:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.
Title OpenClaw 2026.4.5 < 2026.4.20 - MiniMax API Host Override via Workspace dotenv
First Time appeared Openclaw
Openclaw openclaw
Weaknesses CWE-441
CPEs cpe:2.3:a:openclaw:openclaw:*:*:*:*:*:node.js:*:*
Vendors & Products Openclaw
Openclaw openclaw
References
Metrics cvssV3_1

{'score': 5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 4.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Openclaw Openclaw
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-11T18:28:04.488Z

Reserved: 2026-05-08T16:41:39.933Z

Link: CVE-2026-44992

cve-icon Vulnrichment

Updated: 2026-05-11T18:27:58.559Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-11T18:16:38.943

Modified: 2026-05-12T14:19:41.400

Link: CVE-2026-44992

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T19:45:08Z

Weaknesses