Arbitrary Code Execution Vulnerability in OpenClaw by OpenClaw
CVE-2026-45004

8.4HIGH

Key Information:

Vendor: Openclaw
Status: Openclaw
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-45004?

OpenClaw versions prior to 2026.4.23 contain a vulnerability that allows attackers to execute arbitrary JavaScript code. This occurs through the bundled plugin setup resolver, which erroneously loads the setup-api.js file from the current working directory. If an attacker places a malicious setup-api.js file in a user’s repository and persuades them to execute OpenClaw commands from that location, they can run arbitrary code under the user’s account. This poses a significant risk to the integrity of systems utilizing OpenClaw, highlighting the importance of security patches and code execution controls.

Affected Version(s)

OpenClaw 0 < 2026.4.23

OpenClaw 2026.4.23

References

https://github.com/openclaw/openclaw/security/advisories/...

vendor-advisory

https://github.com/openclaw/openclaw/commit/993781e6e6eaf...

patch

https://www.vulncheck.com/advisories/openclaw-arbitrary-c...

third-party-advisory

CVSS V4

Score:

8.4

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
May 8, 2026

Credit

Mirr2

CVE-2026-45004 Data

JSON

Openclaw

What is CVE-2026-45004?

Affected Version(s)

References

CVSS V4

Timeline

Credit