CVE-2026-44992

MEDIUM EPSS 2.0%
Published May 11, 20261mo ago · Modified Jun 17, 20261w ago
4.1 CVSS 4.0
Medium
Find Similar
Published May 11, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.

CVSS Details

Base Score
4.1
Exploitability
Impact
Vector string
CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Local
Attack Complexity Low
Privileges Required Low
User Interaction P
Scope X

Threat Intelligence

EPSS Exploit Probability
2.0% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-441

Affected Products 1

VendorProductVersionRange
openclawopenclaw*≥2026.4.5  –  <2026.4.20

References 3

  • github.com https://github.com/openclaw/openclaw/commit/2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1
    Patch
  • github.com https://github.com/openclaw/openclaw/security/advisories/GHSA-h2vw-ph2c-jvwf
    Third Party Advisory
  • vulncheck.com https://www.vulncheck.com/advisories/openclaw-minimax-api-host-override-via-workspace-dotenv
    PatchThird Party Advisory

Remediation

  • github.com https://github.com/openclaw/openclaw/commit/2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1
    Patch
  • vulncheck.com https://www.vulncheck.com/advisories/openclaw-minimax-api-host-override-via-workspace-dotenv
    PatchThird Party Advisory