1001 matches found
Insufficiently Protected Credentials
Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Insufficiently Protected Credentials via the MINIMAXAPIHOST environment variable injection in workspace dotenv files. An attacker can intercept sensitive API credentials by redirecting...
NPM: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests
NPM: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests vulnerability discovered by ? in WordPress Npm openclaw versions = 2026.4.5, 2026.4.20...
OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests
Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.4.5, 2026.4.20 - Patched version: 2026.4.20 Impact A malicious workspace .env could set MINIMAXAPIHOST and redirect credentialed MiniMax requests to an attacker-controlled origin, exposing the MiniMax API key in the...
GHSA-H2VW-PH2C-JVWF OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests
Affected Packages / Versions - Package: openclaw npm - Affected versions: = 2026.4.5, 2026.4.20 - Patched version: 2026.4.20 Impact A malicious workspace .env could set MINIMAXAPIHOST and redirect credentialed MiniMax requests to an attacker-controlled origin, exposing the MiniMax API key in the...
GHSA-HXVM-XJVF-93F3 OpenClaw: Workspace dotenv could override runtime-control environment variables
Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact Workspace .env loading did not reserve the OPENCLAW runtime-control namespace broadly enough. A malicious workspace could set variables such as OPENCLAWGITDIR before source-upda...
OpenClaw: Workspace dotenv could override runtime-control environment variables
Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact Workspace .env loading did not reserve the OPENCLAW runtime-control namespace broadly enough. A malicious workspace could set variables such as OPENCLAWGITDIR before source-upda...
CVE-2026-28684
A flaw was found in python-dotenv. A local attacker can exploit this by crafting a symbolic link, which the setkey and unsetkey functions in python-dotenv follow when rewriting .env files. This can lead to the overwriting of arbitrary files on the system. Mitigation Mitigation for this issue is...
EUVD-2026-24515
nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys...
CVE-2026-6830
nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys...
CVE-2026-6830
The CVE concerns nesquena Hermes WebUI, where switching profiles fails to clear environment variables from the previous profile, enabling leakage of sensitive credentials (e.g., provider API keys) between profiles. The underlying issue is residual environment variables that persist across profile...
CVE-2026-6830
nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys...
CVE-2026-6830 Nesquena Hermes WebUI Environment Variable Credential Leakage via Profile Switch
nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys...
EUVD-2026-23901
python-dotenv: Symlink following in setkey allows arbitrary file overwrite via cross-device rename fallback...
1password-secrets (>=0.0.1 <=0.4.0), 42towels (>=0.1.1001 <=0.1.1011) +3366 more potentially affected by CVE-2026-28684 via python-dotenv (>=0.1.0 <=1.2.1)
python-dotenv PYPI version =0.1.0, =0.0.1, =0.1.1001, =2.3.0, =0.15.1, =0.1.0, =0.1.0, =1.0.0, =2.3.9, =1.18.8, =0.1.0b0, =1.0.4, =2.0.0rc0 and more Source cves: CVE-2026-28684 Source advisory: OSV:GHSA-MF9W-MJ56-HR94...
GHSA-MF9W-MJ56-HR94 python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
Summary setkey and unsetkey in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Details The rewrite context manager in dotenv/main.py is used by both setkey...
python-dotenv: Symlink following in set_key allows arbitrary file overwrite via cross-device rename fallback
Summary setkey and unsetkey in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a cross-device rename fallback is triggered. Details The rewrite context manager in dotenv/main.py is used by both setkey...
SUSE CVE-2026-28684
python-dotenv reads key-value pairs from a .env file and can set them as environment variables. Prior to version 1.2.2, setkey and unsetkey in python-dotenv follow symbolic links when rewriting .env files, allowing a local attacker to overwrite arbitrary files via a crafted symlink when a...
Hermes Web UI 安全漏洞
Hermes Web UI is a lightweight, dark-themed web interface developed by Nathan Esquenazi. Hermes Web UI has a security vulnerability that arises from the fact that environment variables of the active configuration file are not cleared before the next configuration file is loaded when switching...
PT-2026-34194
nesquena hermes-webui contains an environment variable leakage vulnerability where profile switching does not clear environment variables from the previously active profile before loading the next profile. Attackers or users can exploit additive dotenv reload behavior to access provider API keys...
EUVD-2026-23998
OpenClaw before 2026.3.28 loads the current working directory .env file before trusted state-dir configuration, allowing environment variable injection. Attackers can place a malicious .env file in a repository or workspace to override runtime configuration and security-sensitive environment...