CVE-2026-44992

Summary

OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.

Affected Software

VendorProductVersion RangeStatus
OpenClawOpenClaw2026.4.5 < 2026.4.20affected
OpenClawOpenClaw2026.4.20unaffected

Weaknesses

  • CWE-441: Unintended Proxy or Intermediary ('Confused Deputy')

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References