OpenClaw's bundled plugin setup resolver could fall back to process.cwd() while resolving provider setup metadata. If a user ran an OpenClaw command from an attacker-controlled repository containing extensions/<plugin>/setup-api.js, OpenClaw could load and execute that JavaScript during ordinary provider/model status resolution.
This is arbitrary JavaScript execution in the OpenClaw process under the current user account. A malicious repository could run code when the user executed commands such as provider/model inspection from that directory. The issue does not require gateway network exposure, but it does require user interaction: the user must run OpenClaw from a directory containing the attacker-controlled setup file.
openclaw on npm2026.4.232026.4.23[email protected], tag v2026.4.23OpenClaw now resolves bundled setup fallbacks only from the canonical package/repository root and no longer includes process.cwd() as a trusted setup-api search root. A regression test verifies that a workspace-local extensions/<plugin>/setup-api.js is not loaded through provider setup resolution.
993781e6e6eaf50f033cfc3e3bf4f47059740707 (fix(plugins): ignore cwd setup-api fallback)Severity remains high because successful exploitation allows arbitrary code execution under the user running OpenClaw. The CVSS vector is local/user-interaction scoped rather than network-only because the victim must run OpenClaw from an attacker-controlled directory.
| Score | Percentile |
|---|---|
| 0.01% | 2.88% |
| Base score | Version | Severity | Vector |
|---|---|---|---|
| 7.8 | 3.1 | — |
|
| Type | Value |
|---|---|
| GHSA | GHSA-r39h-4c2p-3jxp ↗ |
| CVE | CVE-2026-45004 ↗ |
| CWE id | Name |
|---|---|
| CWE-94 | Improper Control of Generation of Code ('Code Injection') |
Vulnerable version ranges and first patched releases as published by GitHub.
| Ecosystem | Package | Vulnerable range | First patched | Vulnerable functions |
|---|---|---|---|---|
| npm | openclaw | < 2026.4.23 | 2026.4.23 | — |