GHSA-h2vw-ph2c-jvwf: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

April 25, 2026

A malicious workspace .env could set MINIMAX_API_HOST and redirect credentialed MiniMax requests to an attacker-controlled origin, exposing the MiniMax API key in the outbound Authorization header.

This requires running OpenClaw from an attacker-controlled workspace. Severity is medium.

References

github.com/advisories/GHSA-h2vw-ph2c-jvwf
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1
github.com/openclaw/openclaw/security/advisories/GHSA-h2vw-ph2c-jvwf

Code Behaviors & Features

Detect and mitigate GHSA-h2vw-ph2c-jvwf with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →