A vulnerability, which was classified as problematic , has been found in OpenClaw up to 2026.4.22 . Impacted is the function process.cwd of the file setup-api.js . The manipulation leads to uncontrolled search path. This vulnerability is documented as CVE-2026-45004 . The attack needs to be performed locally. There is not any exploit available. It is advisable to upgrade the affected component.