Environment Variable Injection Vulnerability in OpenClaw by OpenClaw
CVE-2026-44992

4.1MEDIUM

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-44992?

OpenClaw versions prior to 2026.4.20 are susceptible to an environment variable injection flaw that allows the workspace dotenv to supersede the MINIMAX_API_HOST. This security issue poses a risk where attackers could redirect authenticated MiniMax API requests to sources they control, leading to the potential exposure of sensitive MiniMax API keys in Authorization header responses.

Affected Version(s)

OpenClaw 2026.4.5 < 2026.4.20

OpenClaw 2026.4.20

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/2f06696579a1a...

patch

https://www.vulncheck.com/advisories/openclaw-minimax-api...

third-party-advisory

CVSS V4

Score:

4.1

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 8, 2026

Credit

Nathan (@nexrin)

CVE-2026-44992 Data

JSON