This advisory has been withdrawn because it is a duplicate of GHSA-h2vw-ph2c-jvwf. This link is maintained to preserve external references.

OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX API HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.