CVE-2026-44992: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests
(updated )
A malicious workspace .env could set MINIMAX_API_HOST and redirect credentialed MiniMax requests to an attacker-controlled origin, exposing the MiniMax API key in the outbound Authorization header.
This requires running OpenClaw from an attacker-controlled workspace. Severity is medium.
References
- github.com/advisories/GHSA-h2vw-ph2c-jvwf
- github.com/openclaw/openclaw/commit/2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1
- github.com/openclaw/openclaw/security/advisories/GHSA-h2vw-ph2c-jvwf
- nvd.nist.gov/vuln/detail/CVE-2026-44992
- www.vulncheck.com/advisories/openclaw-minimax-api-host-override-via-workspace-dotenv
Code Behaviors & Features
Detect and mitigate CVE-2026-44992 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →