CVE-2026-44992

Sažetak

OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.

Reference

https://github.com/openclaw/openclaw/commit/2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1
https://github.com/openclaw/openclaw/security/advisories/GHSA-h2vw-ph2c-jvwf
https://www.vulncheck.com/advisories/openclaw-minimax-api-host-override-via-workspace-dotenv

CVSS

Base:	5.0
Impact:	3.6
Exploitability:	1.3

Pristup

Vektor	Složenost	Autentikacija
LOCAL	LOW	LOW

Impact

Povjerljivost	Cjelovitost	Dostupnost
HIGH	NONE	NONE

CVSS vektor

CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Zadnje važnije ažuriranje

13-05-2026 - 14:10

Objavljeno

11-05-2026 - 18:16