OpenClaw RCE: Arbitrary Code Execution via Plugin Setup Resolver
The National Vulnerability Database has disclosed CVE-2026-45004, a high-severity arbitrary code execution vulnerability affecting OpenClaw versions prior to 2026.4.23. This flaw, rated 7.8 CVSS (High), stems from a weakness in the bundled plugin setup resolver, which loads setup-api.js from the current working directory during provider setup metadata resolution.
Attackers can exploit this by crafting a malicious extensions/<plugin>/setup-api.js file within a repository. If a user is then convinced to execute OpenClaw commands from that directory, the malicious JavaScript will execute under the current user’s privileges. This represents a significant risk for developers and users who interact with untrusted repositories or shared environments.
This isn’t a complex exploit. It leverages a basic trust issue: code execution from the current directory. Defenders need to understand the attacker’s calculus here: social engineering is the primary vector. Convince a user to clone a repo and run a command, and it’s game over. This is a supply chain risk, even if it’s user-driven.
What This Means For You
- If your development teams use OpenClaw, immediately ensure all installations are updated to version 2026.4.23 or newer. Educate developers on the risks of executing commands in untrusted directories, especially for tools that resolve scripts from `process.cwd()`. This vulnerability is a clear reminder that user execution context is a prime target for initial access.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-45004 - OpenClaw Arbitrary Code Execution via Malicious setup-api.js
title: CVE-2026-45004 - OpenClaw Arbitrary Code Execution via Malicious setup-api.js
id: scw-2026-05-11-ai-1
status: experimental
level: critical
description: |
Detects the execution of OpenClaw commands that attempt to load a 'setup-api.js' file from a subdirectory named 'extensions/<plugin>', indicating a potential attempt to exploit CVE-2026-45004 by loading a malicious plugin setup script.
author: SCW Feed Engine (AI-generated)
date: 2026-05-11
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-45004/
tags:
- attack.execution
- attack.t1204.002
logsource:
category: process_creation
detection:
selection:
Image|endswith:
- 'openclaw'
CommandLine|contains:
- 'extensions/'
- '/setup-api.js'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-45004 | RCE | OpenClaw software |
| CVE-2026-45004 | RCE | OpenClaw versions before 2026.4.23 |
| CVE-2026-45004 | RCE | Vulnerable component: bundled plugin setup resolver |
| CVE-2026-45004 | RCE | Vulnerable file: setup-api.js loaded from process.cwd() |
| CVE-2026-45004 | RCE | Attack vector: malicious extensions/ |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 11, 2026 at 21:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-8318 — VectifyAI PageIndex Vulnerability
CVE-2026-8318 — A security flaw has been discovered in VectifyAI PageIndex up to f50e52975313c6716c02b20a119577a1929decba. Affected by this vulnerability is the function toc_transformer of the file...
Crabbox Path Traversal (CVE-2026-45224) Enables Arbitrary File Deletion
CVE-2026-45224 — Crabbox before 0.9.0 contains a path traversal vulnerability in the Islo provider's workspace path resolution that allows attackers to supply absolute or relative...
CVE-2026-45223: Crabbox Authentication Bypass Allows Admin Privilege Escalation
CVE-2026-45223 — Crabbox before 0.9.0 contains an authentication bypass vulnerability in the coordinator user-token verification path where the verifyUserToken() function fails to reject payloads containing...