Uncontrolled Search Path Element

CVE-2026-45004

High

8.4/10

Summary

OpenClaw prior to 2026.4.23-beta.1 contains an arbitrary code execution vulnerability in the bundled plugin setup resolver that loads setup-api.js from `process.cwd()` during provider setup metadata resolution. Attackers can execute arbitrary JavaScript under the current user account by placing a malicious `extensions/<plugin>/setup-api.js` file in a repository and convincing a user to run OpenClaw commands from that directory.

Attack Complexity: LOW
Attack Vector: LOCAL
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: REQUIRED
Privileges Required: NONE
Confidentiality Impact: HIGH
Availability Impact: HIGH

CWE-427 - Uncontrolled Search Path Element

The product uses a fixed or controlled search path to find resources, but one or more locations in that path can be under the control of unintended actors.

References

Advisory
Advisory

Advisory Timeline

Published May 11, 2026

Uncontrolled Search Path Element

CVE-2026-45004

Summary

CWE-427 - Uncontrolled Search Path Element

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS