CVE-2026-44992 Overview
CVE-2026-44992 is an environment variable injection vulnerability in OpenClaw, a Node.js application. Versions 2026.4.5 before 2026.4.20 allow a workspace .env file to override the MINIMAX_API_HOST environment variable. An attacker who controls the workspace dotenv file can redirect credentialed MiniMax API requests to an attacker-controlled origin. The redirected requests carry the MiniMax API key in the Authorization header, exposing the credential to the attacker.
The issue is tracked under CWE-441: Unintended Proxy or Intermediary and requires local access with low privileges.
Critical Impact
Workspace-level dotenv overrides can exfiltrate MiniMax API keys by redirecting authenticated API traffic to attacker-controlled hosts.
Affected Products
- OpenClaw 2026.4.5 through versions before 2026.4.20
- OpenClaw distributions running on Node.js
- Workspaces that load untrusted .env files
Discovery Timeline
- 2026-05-11 - CVE-2026-44992 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-44992
Vulnerability Analysis
OpenClaw integrates with the MiniMax API and reads its target host from the MINIMAX_API_HOST environment variable. In affected versions, the application loads variables from a workspace-scoped .env file and allows those values to override the host configuration used for outbound API calls.
When the host is overridden, OpenClaw continues to attach the MiniMax API key to outbound requests via the Authorization header. The HTTP client treats the attacker-controlled host as legitimate and sends the credential to the redirected endpoint. The attacker then captures the API key from request logs on the rogue server.
The vulnerability requires the attacker to place or modify a .env file in the workspace, which makes it a local attack with user interaction. Successful exploitation results in full disclosure of the MiniMax API key without affecting integrity or availability of the host system.
Root Cause
The root cause is unsafe precedence of workspace dotenv values over trusted process configuration. OpenClaw does not restrict which environment variables can be overridden by workspace files, allowing security-sensitive endpoint configuration to be replaced at runtime.
Attack Vector
An attacker provides a malicious workspace containing a .env file that sets MINIMAX_API_HOST to an attacker-controlled domain. When the victim opens the workspace and triggers a MiniMax API call, OpenClaw transmits the API key to that domain in the Authorization header. The attacker captures the credential and can replay it against the legitimate MiniMax service.
The vulnerability mechanism is documented in the VulnCheck advisory and the GitHub Security Advisory GHSA-h2vw-ph2c-jvwf. No proof-of-concept code or public exploit is available at this time.
Detection Methods for CVE-2026-44992
Indicators of Compromise
- Workspace .env files containing a MINIMAX_API_HOST entry that does not point to the official MiniMax API domain.
- Outbound HTTPS connections from OpenClaw processes to unfamiliar hosts carrying Authorization: Bearer headers.
- DNS lookups from developer endpoints to domains resembling MiniMax but registered outside the vendor's known infrastructure.
Detection Strategies
- Scan repositories and shared workspaces for .env files that override MINIMAX_API_HOST, OPENAI_API_HOST, or similar host variables.
- Inspect OpenClaw network telemetry for outbound API requests directed to non-allowlisted MiniMax endpoints.
- Compare the installed OpenClaw version against the fixed release 2026.4.20 across developer machines.
Monitoring Recommendations
- Alert on egress traffic from Node.js processes to newly observed domains, especially when authentication headers are present.
- Audit version control history for additions of .env files in shared OpenClaw workspaces.
- Rotate MiniMax API keys on a schedule and monitor key usage for anomalous source IPs.
How to Mitigate CVE-2026-44992
Immediate Actions Required
- Upgrade OpenClaw to version 2026.4.20 or later, which contains the fix in commit 2f06696.
- Rotate any MiniMax API keys that were used while affected OpenClaw versions were installed.
- Audit existing workspaces for unauthorized .env files that set MINIMAX_API_HOST.
Patch Information
The fix is published in the upstream repository under commit 2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1. Details are available in the OpenClaw GitHub commit and the GitHub Security Advisory GHSA-h2vw-ph2c-jvwf. The patch prevents workspace dotenv files from overriding the MiniMax host configuration.
Workarounds
- Avoid opening untrusted OpenClaw workspaces until the upgrade is complete.
- Remove or sanitize .env files before loading shared workspaces, and reject entries that set host variables.
- Restrict MiniMax API keys with network allowlists or scoped permissions where the provider supports them.
# Configuration example: verify installed version and inspect workspace dotenv files
npm ls openclaw
grep -R "MINIMAX_API_HOST" ./workspaces/ || echo "No overrides found"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
