CVE-2026-45004
HIGHOpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory
Title source: cnaDescription
OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious extensions/<plugin>/setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory.
References (3)
Core 3
Core References
Vendor Advisory vendor-advisory
GitHub Security Advisory (GHSA-r39h-4c2p-3jxp)
https://github.com/openclaw/openclaw/security/advisories/GHSA-r39h-4c2p-3jxp
Patch patch
Patch Commit
https://github.com/openclaw/openclaw/commit/993781e6e6eaf50f033cfc3e3bf4f47059740707
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenClaw < 2026.4.23 - Arbitrary Code Execution via setup-api.js in Current Working Directory
https://www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-setup-api-js-in-current-working-directory
Scores
CVSS v3
7.8
EPSS
0.0001
EPSS Percentile
3.0%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-427
Status
published
Products (4)
npm/openclaw
0 - 2026.4.23npm
OpenClaw/OpenClaw
< 2026.4.23
openclaw/openclaw
< 2026.4.23
OpenClaw/OpenClaw
2026.4.23
Published
May 11, 2026
Tracked Since
May 11, 2026