PT-2026-42596 — Npm Openclaw

PT-2026-42596 · Npm · Openclaw

Publicado

2026-05-11

Atualizado

2026-05-11

CVSS v3.1

5.0

Média

Vetor

AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-h2vw-ph2c-jvwf. This link is maintained to preserve external references.

Original Description

OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX API HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.

Correção

Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾

dbugs@ptsecurity.com

Enumeração de Fraquezas

CWE-441

Identificadores relacionados

GHSA-4MHR-CXR4-2PRM

Produtos afetados

Openclaw