What is CVE-2026-45004?

A critical arbitrary code execution vulnerability in OpenClaw before 2026.4.23 where the plugin setup resolver loads setup-api.js from the current working directory, allowing attackers to run malicious JavaScript.

How is CVE-2026-45004 exploited?

An attacker places a malicious extensions/ /setup-api.js file in a repository. When a user clones the repo and runs OpenClaw commands, the resolver loads and executes the attacker-controlled code.

Which OpenClaw versions are affected by CVE-2026-45004?

All versions before 2026.4.23 are affected. Users should update to 2026.4.23 or later immediately.

What is the CVSS score for CVE-2026-45004?

The vulnerability has a high severity rating, enabling arbitrary JavaScript execution under the current user account context.

How to fix CVE-2026-45004?

Update OpenClaw to version 2026.4.23 or later. Avoid running OpenClaw commands in untrusted repository directories.

← Back to dashboard

clawsmith.com/signal/cve-2026-45004-arbitrary-code-execution-plugin-setup

⚠ IssueWide OpenLive

CVE-2026-45004: Arbitrary Code Execution in OpenClaw Plugin Setup Resolver

OpenClaw before 2026.4.23 allows arbitrary code execution via a malicious setup-api.js file placed in a repository extensions directory. When a user runs OpenClaw commands from that directory, the resolver loads and executes the attacker-controlled JavaScript.

Product Idea from this Signal

A CLI tool that scans a running OpenClaw instance for active CVEs, malicious skills, and supply chain tampering before they get exploited

807 ▲

OpenClaw has accumulated 433+ CVEs in five months including critical auth bypasses (CVSS 9.8), sandbox escapes, and nation-state supply chain attacks targeting the npm ecosystem. Most operators have no idea which CVEs affect their specific version, whether their installed skills contain backdoors, or if their dependency tree has been tampered with. This tool runs a comprehensive security audit against a live OpenClaw instance and outputs an actionable remediation plan.

CLIOPEN-SOURCESECURITYDEVTOOLAUDIT

CompetitiveView Opportunity →