What is GHSA-4mhr-cxr4-2prm?

GHSA-4mhr-cxr4-2prm is a security advisory published by GitHub Security Advisories with Medium severity. Duplicate Advisory: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

Why does GHSA-4mhr-cxr4-2prm have no CVE ID yet?

GitHub Security Advisories published this advisory directly to customers before NVD assigned a CVE ID. This is the embargo-window disclosure pattern — vendors notify customers on day 0; NVD's public record follows days to weeks later.

What is the CVSS v3 score of GHSA-4mhr-cxr4-2prm?

GHSA-4mhr-cxr4-2prm has a CVSS v3 base score of 5.0, published by GitHub Security Advisories.

Which products are affected by GHSA-4mhr-cxr4-2prm?

GHSA-4mhr-cxr4-2prm affects 1 product, including: npm/openclaw:\u003e= 2026.4.5, \u003c 2026.4.20.

⚠ Withdrawn by GitHub Security Advisories

Withdrawn: May 18, 2026

GHSA-4mhr-cxr4-2prmMediumCVSS 5.0Disclosed before NVD

Duplicate Advisory: OpenClaw: Workspace dotenv MiniMax host override could redirect credentialed requests

Vendor

GitHub Security Advisories

Published

May 11, 2026

Last Modified

May 18, 2026

📋 Description

### Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-h2vw-ph2c-jvwf. This link is maintained to preserve external references. ### Original Description OpenClaw versions 2026.4.5 before 2026.4.20 contain an environment variable injection vulnerability allowing workspace dotenv to override MINIMAX_API_HOST. Attackers can redirect credentialed MiniMax API requests to attacker-controlled origins, exposing the MiniMax API key in Authorization headers.

🎯 Affected products1

npm/openclaw:>= 2026.4.5, < 2026.4.20

🔗 References (5)

https://github.com/openclaw/openclaw/security/advisories/GHSA-h2vw-ph2c-jvwf
https://nvd.nist.gov/vuln/detail/CVE-2026-44992
https://github.com/openclaw/openclaw/commit/2f06696579a1ab0cb5bbbbb6a900414a6b2e3cd1
https://www.vulncheck.com/advisories/openclaw-minimax-api-host-override-via-workspace-dotenv
https://github.com/advisories/GHSA-4mhr-cxr4-2prm