GHSA-H2VW-PH2C-JVWF: Credential Exfiltration via Environment Variable Injection in OpenClaw

OpenClaw relies on environment variables for global and workspace-specific configuration. The src/infra/dotenv.ts module manages this integration, loading localized .env files when a user opens a new workspace context.

To maintain security boundaries, OpenClaw implements a blocklist mechanism designed to prevent untrusted workspaces from modifying sensitive settings. This mechanism filters known high-risk environment variables before applying the local configuration to the application state.

Vulnerability GHSA-H2VW-PH2C-JVWF exists because this blocklist mechanism failed to include configuration keys specific to the MiniMax model provider. Specifically, the application permits the overriding of API routing targets, allowing unverified input to dictate where authenticated requests are sent.

As a result, the application exhibits an Improperly Controlled Modification of Dynamically-Determined Object Attributes (CWE-915). This flaw acts as a vector for credential exfiltration, exposing users to the immediate loss of their MiniMax API keys.

The root cause resides in the explicit enumeration approach used by the BLOCKED_WORKSPACE_DOTENV_KEYS and BLOCKED_WORKSPACE_DOTENV_SUFFIXES constants. The application attempts to secure sensitive properties via a blocklist-based architecture, which necessitates continuous updates whenever new routing configurations are introduced.

Prior to the patch, the blocklist lacked the explicit MINIMAX_API_HOST key. Furthermore, the generic suffix filter lacked coverage for the _API_HOST pattern, as it was strictly configured to protect variables ending in _BASE_URL.

When a workspace environment file defines MINIMAX_API_HOST, the dotenv parser imports this value directly into the application's runtime environment. The MiniMax provider module subsequently reads this overridden variable during the initialization of its HTTP client.

The HTTP client applies the injected value as the base destination URL for all subsequent API requests. Consequently, when the application executes a request requiring authentication, it appends the user's globally configured API key to the HTTP headers and transmits it to the overridden destination.

The vulnerable implementation in src/infra/dotenv.ts relied on an incomplete set of protected variable names. The security model required developers to manually append new configuration keys to the blocklist whenever a new model provider was integrated into the application.

Commit 2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1 addresses this oversight by expanding the explicit blocklist and enhancing the generic suffix protections. The patch modifies the environment variable filtering logic to catch broader patterns and specific overlooked keys.

The patch adds MINIMAX_API_HOST to BLOCKED_WORKSPACE_DOTENV_KEYS and introduces _API_HOST to the BLOCKED_WORKSPACE_DOTENV_SUFFIXES array. This defense-in-depth approach fixes the immediate flaw and hardens the application against variant attacks on future providers.

const BLOCKED_WORKSPACE_DOTENV_KEYS = new Set([
  // ... other keys
  "CLAWHUB_URL",
  "HTTP_PROXY",
  "HTTPS_PROXY",
+ "MINIMAX_API_HOST",
  "NODE_TLS_REJECT_UNAUTHORIZED",
  // ...
]);
 
// Block endpoint redirection for any service without overfitting per-provider names.
- const BLOCKED_WORKSPACE_DOTENV_SUFFIXES = ["_BASE_URL"];
+ const BLOCKED_WORKSPACE_DOTENV_SUFFIXES = ["_API_HOST", "_BASE_URL"];

Exploitation requires the attacker to construct a malicious repository containing a .env file at the project root. This configuration file must specify an attacker-controlled server using the MINIMAX_API_HOST environment variable.

The attacker distributes this repository using social engineering techniques, presenting it as a pre-configured AI template or utility project. The exploit chain initiates when the victim clones the repository and opens it within the OpenClaw application.

Once the workspace is active, any application action that invokes the MiniMax provider, such as Text-to-Speech or image analysis tasks, triggers an outbound HTTP request. OpenClaw dynamically resolves the target URL using the injected MINIMAX_API_HOST value.

The attacker's server receives the request, which includes the victim's MiniMax API key encapsulated within the HTTP Authorization header. The attacker records this bearer token for subsequent unauthorized use.

The primary impact of this vulnerability is the direct exfiltration of sensitive authentication material (CWE-200). An attacker successfully exploiting this flaw gains complete access to the user's MiniMax API credentials without requiring local code execution.

Stolen API keys enable unauthorized consumption of billable model resources, leading to direct financial impact for the victim. Attackers utilize these compromised credentials for bulk inference tasks or resell them through secondary markets.

The severity of the attack is compounded by its stealth. The user interface does not present any warnings when endpoint routing is overridden by a workspace configuration, allowing the exfiltration to persist unnoticed across multiple sessions.

The vulnerability necessitates user interaction to clone and open the malicious repository, which constrains the exploitability scope. However, the prevalence of shared templates in developer workflows makes this a highly viable attack vector in practice.

The vendor addressed the vulnerability in OpenClaw version 2026.4.20. Users must upgrade their application instances to this version or newer to mitigate the environment variable injection vector completely.

Users who suspect they have interacted with untrusted repositories containing customized .env files must immediately revoke their existing MiniMax API keys. They should generate new credentials within the provider's management console to invalidate any compromised tokens.

System administrators and security teams can detect attempted exploitation by scanning local workspace directories for .env files containing anomalous _API_HOST or _BASE_URL declarations pointing to unrecognized domains.

Software developers integrating third-party APIs must adopt secure-by-default configuration strategies. Applications should strictly separate global sensitive credentials from locally mutable environment variables to prevent localized overrides from hijacking authenticated requests.