CVE-2026-45004: Openclaw Openclaw RCE Vulnerability

CVE-2026-45004 Overview

CVE-2026-45004 is an arbitrary code execution vulnerability in OpenClaw versions prior to 2026.4.23. The flaw resides in the bundled plugin setup resolver, which loads setup-api.js from process.cwd() during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by planting a malicious extensions/<plugin>/setup-api.js file in a repository and convincing a user to run OpenClaw commands from that directory. The issue is classified as [CWE-427] Uncontrolled Search Path Element.

Critical Impact

Successful exploitation grants attackers arbitrary code execution under the invoking user's account, leading to full confidentiality, integrity, and availability compromise of the local user context.

Affected Products

• OpenClaw (Node.js distribution) versions before 2026.4.23
• OpenClaw bundled plugin setup resolver component (src/plugins/setup-registry.ts)
• Any repository workflow invoking OpenClaw commands from an untrusted working directory

Discovery Timeline

• 2026-05-11 - CVE-2026-45004 published to NVD
• 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-45004

Vulnerability Analysis

The vulnerability resides in OpenClaw's plugin setup resolver, which constructs candidate repository roots when locating bundled extension metadata. The resolver included process.cwd() as a fallback root when searching for extensions/<plugin>/setup-api.js. As a result, OpenClaw would load and execute JavaScript from the user's current working directory without validating its origin. Because Node.js executes loaded modules immediately, any code in the attacker-controlled setup-api.js runs with the privileges of the invoking user.

The attack does not require elevated privileges or network access. Exploitation depends on a user running OpenClaw inside a repository or directory under attacker influence, a common pattern for developer tooling that processes untrusted source trees. The result is full arbitrary code execution on the local host.

Root Cause

The root cause is an untrusted search path in the plugin setup resolver. The function built repoRootCandidates containing both the module-relative root and process.cwd(), then attempted to load setup-api.js from the first candidate that contained a matching extension directory. Loading executable code from process.cwd() violates the principle of trusted module resolution and matches the [CWE-427] pattern.

Attack Vector

An attacker commits a malicious extensions/<plugin>/setup-api.js to a repository. When a victim clones the repository and runs an OpenClaw command from that directory, the resolver evaluates process.cwd() and executes the attacker's JavaScript. The vector is local with user interaction, but the prerequisites map cleanly to standard developer workflows.

  }
 
  const bundledExtensionDir = path.basename(rootDir);
-  const repoRootCandidates = [
-    path.resolve(path.dirname(CURRENT_MODULE_PATH), "..", ".."),
-    process.cwd(),
-  ];
+  const repoRootCandidates = [path.resolve(path.dirname(CURRENT_MODULE_PATH), "..", "..")];
  for (const repoRoot of repoRootCandidates) {
    const sourceExtensionRoot = path.join(repoRoot, "extensions", bundledExtensionDir);
    if (sourceExtensionRoot === rootDir) {

Source: GitHub patch commit 993781e. The patch removes process.cwd() from the candidate list, eliminating the untrusted search path.

Detection Methods for CVE-2026-45004

Indicators of Compromise

• Presence of an unexpected extensions/<plugin>/setup-api.js file within a cloned repository or working directory used to invoke OpenClaw.
• Child processes spawned by the OpenClaw Node.js runtime that deviate from documented plugin behavior, such as shell invocations, outbound network connections, or file writes outside the project tree.
• Modifications to user-writable persistence locations (shell profiles, scheduled tasks, SSH keys) shortly after running OpenClaw commands.

Detection Strategies

• Inspect repositories for files matching the path pattern extensions/*/setup-api.js that are not part of the upstream OpenClaw distribution.
• Audit command-line history for OpenClaw invocations executed from third-party repository directories.
• Monitor Node.js process trees for unusual child process creation correlated with OpenClaw execution.

Monitoring Recommendations

• Enable endpoint process telemetry to capture parent-child relationships for node processes launching OpenClaw.
• Centralize developer workstation logs and alert on file creation events targeting setup-api.js within untrusted repository clones.
• Track OpenClaw version inventory across developer endpoints to identify hosts still running versions earlier than 2026.4.23.

How to Mitigate CVE-2026-45004

Immediate Actions Required

• Upgrade OpenClaw to version 2026.4.23 or later on all developer and build systems.
• Audit existing repositories used with OpenClaw for unauthorized extensions/<plugin>/setup-api.js files and remove any not sourced from trusted upstreams.
• Restrict OpenClaw execution to vetted repositories until patching is complete across the environment.

Patch Information

The vendor fix is implemented in commit 993781e6e6eaf50f033cfc3e3bf4f47059740707, which removes process.cwd() from the repoRootCandidates array in src/plugins/setup-registry.ts. Details are available in the GitHub Security Advisory GHSA-r39h-4c2p-3jxp and the VulnCheck advisory.

Workarounds

• Run OpenClaw only from trusted directories that you control, such as a dedicated tooling workspace outside cloned third-party repositories.
• Use a least-privilege user account for OpenClaw execution to limit the blast radius of arbitrary code execution.
• Apply repository review policies that flag additions of extensions/*/setup-api.js files in pull requests.

# Verify installed OpenClaw version and upgrade
npm ls -g openclaw
npm install -g openclaw@2026.4.23

# Scan a repository for the vulnerable plugin path before invoking OpenClaw
find . -path '*/extensions/*/setup-api.js' -print