Duplicate Advisory: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h2vw-ph2c-jvwf. This link is maintained to preserve external references. Original Description OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspac...

OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.4.5, 2026.4.20 - Patched version: 2026.4.20 Impact A malicious workspace .env could set MINIMAXAPIHOST and redirect credentialed MiniMax requests to an attacker-controlled origin, exposing the MiniMax API key in the...

GHSA-8RH7-6779-CJQQ OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover

Summary OpenClaw loaded the current working directory .env before trusted state-dir configuration, allowing untrusted workspace state to inject host environment values. Impact A repository or workspace containing a malicious .env file could override runtime configuration and security-sensitive...

OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover

Summary OpenClaw loaded the current working directory .env before trusted state-dir configuration, allowing untrusted workspace state to inject host environment values. Impact A repository or workspace containing a malicious .env file could override runtime configuration and security-sensitive...