PT-2026-39693 · Openclaw · Openclaw

Mirr2

·

Published

2026-05-05

·

Updated

2026-05-11

·

CVE-2026-45004

CVSS v4.0

8.4

High

VectorAV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.23
Description An arbitrary code execution issue exists in the bundled plugin setup resolver. During provider setup metadata resolution, the system loads setup-api.js from process.cwd(). An attacker can execute arbitrary JavaScript under the current user account by placing a malicious extensions/<plugin>/setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory.
Recommendations Update to version 2026.4.23 or later.

Exploit

Fix

Uncontrolled Search Path Element

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45004
GHSA-R39H-4C2P-3JXP
GHSA-XPR6-2HGM-4WWP

Affected Products

Openclaw