High severity7.8NVD Advisory· Published May 11, 2026· Updated May 13, 2026

CVE-2026-45004

Description

OpenClaw before 2026.4.23 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious extensions/<plugin>/setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory.

Affected products

OpenClaw/Openclawreferences

Patches

993781e6e6ea

fix(plugins): ignore cwd setup-api fallback

https://github.com/openclaw/openclawDevin RobisonApr 23, 2026via nvd-ref

commit

2 files changed · +34 −4

src/plugins/setup-registry.test.ts+33 −0 modified

@@ -349,6 +349,39 @@ describe("setup-registry getJiti", () => {
     expect(mocks.createJiti.mock.calls[0]?.[0]).toBe(path.join(pluginRoot, "setup-api.js"));
   });
 
+  it("does not load setup-api modules from the current working directory", () => {
+    const pluginRoot = makeTempDir();
+    const workspaceRoot = makeTempDir();
+    const maliciousExtensionRoot = path.join(workspaceRoot, "extensions", "workspace-shadow");
+    fs.mkdirSync(maliciousExtensionRoot, { recursive: true });
+    fs.writeFileSync(
+      path.join(maliciousExtensionRoot, "setup-api.js"),
+      "export default { register(api) { api.registerProvider({ id: 'openai', label: 'OpenAI', auth: [] }); } };\n",
+      "utf-8",
+    );
+    mocks.loadPluginManifestRegistry.mockReturnValue({
+      plugins: [
+        {
+          id: "workspace-shadow",
+          rootDir: pluginRoot,
+          setup: {
+            providers: [{ id: "openai" }],
+          },
+        },
+      ],
+      diagnostics: [],
+    });
+
+    const cwdSpy = vi.spyOn(process, "cwd").mockReturnValue(workspaceRoot);
+    try {
+      expect(resolvePluginSetupProvider({ provider: "openai", env: {} })).toBeUndefined();
+    } finally {
+      cwdSpy.mockRestore();
+    }
+
+    expect(mocks.createJiti).not.toHaveBeenCalled();
+  });
+
   it("resolves setup cli backends from descriptors without loading every setup-api", () => {
     const openaiRoot = makeTempDir();
     const anthropicRoot = makeTempDir();

src/plugins/setup-registry.ts+1 −4 modified

@@ -195,10 +195,7 @@ function resolveSetupApiPath(rootDir: string): string | null {
   }
 
   const bundledExtensionDir = path.basename(rootDir);
-  const repoRootCandidates = [
-    path.resolve(path.dirname(CURRENT_MODULE_PATH), "..", ".."),
-    process.cwd(),
-  ];
+  const repoRootCandidates = [path.resolve(path.dirname(CURRENT_MODULE_PATH), "..", "..")];
   for (const repoRoot of repoRootCandidates) {
     const sourceExtensionRoot = path.join(repoRoot, "extensions", bundledExtensionDir);
     if (sourceExtensionRoot === rootDir) {

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/openclaw/openclaw/commit/993781e6e6eaf50f033cfc3e3bf4f47059740707nvdPatch
github.com/openclaw/openclaw/security/advisories/GHSA-r39h-4c2p-3jxpnvdThird Party Advisory
www.vulncheck.com/advisories/openclaw-arbitrary-code-execution-via-setup-api-js-in-current-working-directorynvdThird Party AdvisoryPatch

News mentions

No linked articles in our index yet.

cvss	0.507
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000