GHSA-r39h-4c2p-3jxp: OpenClaw RCE — HIGH

CISO Take

OpenClaw's plugin setup resolver unsafely falls back to process.cwd() when locating provider metadata, allowing any extensions/<plugin>/setup-api.js file present in the working directory to be loaded and executed as JavaScript under the current user's privileges. While exploitation requires user interaction—specifically running OpenClaw commands from an attacker-controlled directory—this is a realistic threat in AI development workflows where engineers routinely clone and evaluate third-party model provider repositories. A related AI incident (AIID #1368) confirms that OpenClaw's plugin ecosystem has already been actively abused for credential exfiltration via malicious skills, making this attack surface demonstrated rather than theoretical. No public exploit or active KEV listing exists, but exploitation complexity is trivially low—the attacker only needs a correctly named file in a directory the victim works from. Upgrade to openclaw 2026.4.23 immediately and prohibit running OpenClaw commands from cloned or untrusted repositories.

Sources: GitHub Advisory ATLAS AIID

What is the risk?

CVSS 7.8 High with local attack vector (AV:L) and required user interaction (UI:R) constrains automated mass exploitation. However, attack complexity is Low (AC:L) with no privileges required (PR:N), meaning any developer who clones a malicious AI repository and runs standard OpenClaw commands is at full risk. AI development teams face disproportionate exposure due to frequent interaction with third-party model providers, skill libraries, and community-published repositories. Full CIA impact (C:H/I:H/A:H) means successful exploitation results in complete workstation compromise with potential lateral movement to cloud credentials and production AI systems. Prior AIID incident #1368 confirms the underlying attack pattern is operationally viable in the OpenClaw ecosystem.

How does the attack unfold?

Capability Staging

Adversary creates a public repository containing a crafted extensions/<plugin>/setup-api.js with a Node.js payload targeting LLM API keys and cloud credentials.

AML.T0079

User Execution

Developer clones the attacker's repository and runs a routine OpenClaw command such as provider list or model status from within the repository directory.

AML.T0011

Code Execution

OpenClaw's plugin resolver falls back to process.cwd() and silently loads the attacker's setup-api.js, executing it within the OpenClaw process under the developer's account.

AML.T0050

Credential Exfiltration

The payload harvests LLM API keys, cloud tokens, and SSH credentials from the developer's environment and exfiltrates them to an attacker-controlled endpoint for follow-on access.

AML.T0025

Capability Staging

Adversary creates a public repository containing a crafted extensions/<plugin>/setup-api.js with a Node.js payload targeting LLM API keys and cloud credentials.

AML.T0079

User Execution

Developer clones the attacker's repository and runs a routine OpenClaw command such as provider list or model status from within the repository directory.

AML.T0011

Code Execution

OpenClaw's plugin resolver falls back to process.cwd() and silently loads the attacker's setup-api.js, executing it within the OpenClaw process under the developer's account.

AML.T0050

Credential Exfiltration

The payload harvests LLM API keys, cloud tokens, and SSH credentials from the developer's environment and exfiltrates them to an attacker-controlled endpoint for follow-on access.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
OpenClaw	npm	< 2026.4.23	`2026.4.23`
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1

7.8 / 10

EPSS

N/A

Exploitation Status

No known exploitation

Sophistication

Trivial

What is the attack surface?

AV Local

AC Low

PR None

UI Required

S Unchanged

C High

I High

A High

What should I do?

5 steps

Patch immediately: Upgrade openclaw to version 2026.4.23 or later—this release eliminates process.cwd() from the trusted plugin setup-api search path and includes a regression test.
Detect: Audit for unexpected extensions/<plugin>/setup-api.js files in project working directories, CI/CD workspace clones, and recently pulled repositories.
Workaround (pre-patch): Never run OpenClaw commands from cloned or externally sourced directories; restrict execution to verified internal package directories only.
CI/CD hardening: Ensure OpenClaw commands in pipelines execute in clean, isolated environments separate from repository root directories, with least-privilege process accounts.
Review your AI toolchain for other tools that perform plugin or extension resolution, applying the same directory-isolation and trust-boundary principles.

How is it classified?

Supply Chain Code Execution Agent Plugin AML.T0010.005 - AI Agent Tool AML.T0011 - User Execution AML.T0050 - Command and Scripting Interpreter AML.T0079 - Stage Capabilities

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act

Art. 15 - Accuracy, robustness and cybersecurity

ISO 42001

8.5 - AI system supply chain

NIST AI RMF

GOVERN 6.2 - AI supply chain risk management policies

OWASP LLM Top 10

LLM03:2025 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is GHSA-r39h-4c2p-3jxp?

OpenClaw's plugin setup resolver unsafely falls back to process.cwd() when locating provider metadata, allowing any extensions/<plugin>/setup-api.js file present in the working directory to be loaded and executed as JavaScript under the current user's privileges. While exploitation requires user interaction—specifically running OpenClaw commands from an attacker-controlled directory—this is a realistic threat in AI development workflows where engineers routinely clone and evaluate third-party model provider repositories. A related AI incident (AIID #1368) confirms that OpenClaw's plugin ecosystem has already been actively abused for credential exfiltration via malicious skills, making this attack surface demonstrated rather than theoretical. No public exploit or active KEV listing exists, but exploitation complexity is trivially low—the attacker only needs a correctly named file in a directory the victim works from. Upgrade to openclaw 2026.4.23 immediately and prohibit running OpenClaw commands from cloned or untrusted repositories.

Is GHSA-r39h-4c2p-3jxp actively exploited?

No confirmed active exploitation of GHSA-r39h-4c2p-3jxp has been reported, but organizations should still patch proactively.

How to fix GHSA-r39h-4c2p-3jxp?

1. Patch immediately: Upgrade openclaw to version 2026.4.23 or later—this release eliminates process.cwd() from the trusted plugin setup-api search path and includes a regression test. 2. Detect: Audit for unexpected extensions/<plugin>/setup-api.js files in project working directories, CI/CD workspace clones, and recently pulled repositories. 3. Workaround (pre-patch): Never run OpenClaw commands from cloned or externally sourced directories; restrict execution to verified internal package directories only. 4. CI/CD hardening: Ensure OpenClaw commands in pipelines execute in clean, isolated environments separate from repository root directories, with least-privilege process accounts. 5. Review your AI toolchain for other tools that perform plugin or extension resolution, applying the same directory-isolation and trust-boundary principles.

What systems are affected by GHSA-r39h-4c2p-3jxp?

This vulnerability affects the following AI/ML architecture patterns: AI agent development environments, developer workstations using AI agent tooling, CI/CD pipelines with AI tooling, plugin and skill ecosystems for AI agents.

What is the CVSS score for GHSA-r39h-4c2p-3jxp?

GHSA-r39h-4c2p-3jxp has a CVSS v3.1 base score of 7.8 (HIGH).

What is the AI security impact?

Affected AI Architectures

AI agent development environmentsdeveloper workstations using AI agent toolingCI/CD pipelines with AI toolingplugin and skill ecosystems for AI agents

MITRE ATLAS Techniques

AML.T0010.005 AI Agent Tool

AML.T0011 User Execution

AML.T0050 Command and Scripting Interpreter

AML.T0079 Stage Capabilities

Compliance Controls Affected

EU AI Act: Art. 15

ISO 42001: 8.5

NIST AI RMF: GOVERN 6.2

OWASP LLM Top 10: LLM03:2025

What are the technical details?

Original Advisory

## Summary OpenClaw's bundled plugin setup resolver could fall back to `process.cwd()` while resolving provider setup metadata. If a user ran an OpenClaw command from an attacker-controlled repository containing `extensions/<plugin>/setup-api.js`, OpenClaw could load and execute that JavaScript during ordinary provider/model status resolution. ## Impact This is arbitrary JavaScript execution in the OpenClaw process under the current user account. A malicious repository could run code when the user executed commands such as provider/model inspection from that directory. The issue does not require gateway network exposure, but it does require user interaction: the user must run OpenClaw from a directory containing the attacker-controlled setup file. ## Affected Packages / Versions - Package: `openclaw` on npm - Affected: versions before `2026.4.23` - Fixed: `2026.4.23` - Latest stable verified fixed: `openclaw@2026.4.23`, tag `v2026.4.23` ## Fix OpenClaw now resolves bundled setup fallbacks only from the canonical package/repository root and no longer includes `process.cwd()` as a trusted setup-api search root. A regression test verifies that a workspace-local `extensions/<plugin>/setup-api.js` is not loaded through provider setup resolution. ## Fix Commit(s) - `993781e6e6eaf50f033cfc3e3bf4f47059740707` (`fix(plugins): ignore cwd setup-api fallback`) ## Severity Severity remains `high` because successful exploitation allows arbitrary code execution under the user running OpenClaw. The CVSS vector is local/user-interaction scoped rather than network-only because the victim must run OpenClaw from an attacker-controlled directory.

Exploitation Scenario

An adversary targeting an AI development team publishes a GitHub repository mimicking a legitimate AI model provider or OpenClaw skill library, embedding a crafted extensions/<plugin>/setup-api.js containing a Node.js payload that harvests environment variables for LLM API keys and cloud credentials. The repository is promoted via AI community forums, skill registries, or through social engineering targeting developers evaluating new providers. When a developer clones the repository and runs a routine OpenClaw command—such as listing available providers or checking model status—from within the project directory, OpenClaw's resolver falls back to process.cwd() and silently loads and executes the attacker's JavaScript. The payload exfiltrates credentials to an attacker-controlled endpoint, enabling follow-on access to production AI inference environments and replicating the AIID #1368 attack pattern directly at the developer tooling layer.

Weaknesses (CWE)

CWE-94 Improper Control of Generation of Code ('Code Injection') Primary

CWE-94 — Improper Control of Generation of Code ('Code Injection'): The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

[Architecture and Design] Refactor your program so that you do not have to dynamically generate code.
[Architecture and Design] Run your code in a "jail" or similar sandbox environment that enforces strict boundaries between the process and the operating system. This may effectively restrict which code can be executed by your product. Examples include the Unix chroot jail and AppArmor. In general, managed code may provide some protection. This may not be a feasible solution, and it only limits the impact to the operating system; the rest of your application may still be subject to compromise. Be careful to avoid CWE-243 and other weaknesses related to jails.

Source: MITRE CWE corpus.