PT-2026-37324 — Insufficiently Protected Credentials in Npm Openclaw

PT-2026-37324 · Npm · Openclaw

Published

2026-04-25

Updated

2026-04-25

CVSS v4.0

6.8

Medium

Vector

AV:L/AC:L/AT:P/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: >= 2026.4.5, < 2026.4.20
Patched version: 2026.4.20

Impact

A malicious workspace .env could set MINIMAX API HOST and redirect credentialed MiniMax requests to an attacker-controlled origin, exposing the MiniMax API key in the outbound Authorization header.

This requires running OpenClaw from an attacker-controlled workspace. Severity is medium.

Fix

OpenClaw now blocks MINIMAX API HOST from workspace dotenv injection and removes env-driven URL routing from the affected MiniMax request path.

Fix commit:

2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1

Release

Fixed in OpenClaw 2026.4.20.

Fix

Insufficiently Protected Credentials

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-15CWE-522

Related Identifiers

GHSA-H2VW-PH2C-JVWF

Affected Products

Openclaw