PT-2026-39693 · Openclaw · Openclaw
Mirr2
·
Published
2026-05-05
·
Updated
2026-05-11
·
CVE-2026-45004
CVSS v4.0
8.4
High
| Vector | AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.4.23
Description
An arbitrary code execution issue exists in the bundled plugin setup resolver. During provider setup metadata resolution, the system loads
setup-api.js from process.cwd(). An attacker can execute arbitrary JavaScript under the current user account by placing a malicious extensions/<plugin>/setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory.Recommendations
Update to version 2026.4.23 or later.
Exploit
Fix
Uncontrolled Search Path Element
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw