UNKNOWN npm
OpenClaw: Hook mapping templates could bypass hook session-key opt-in
GHSA-2xcp-x87w-q377 · CVE-2026-45002
Published · Modified
Description
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
< 2026.4.20 - Patched version:
2026.4.20
Impact
Templated hook mapping sessionKey values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when hooks.allowRequestSessionKey was disabled, bypassing the intended routing opt-in for hook callers.
This affects webhook routing isolation. It does not grant host execution by itself. Severity is medium.
Fix
Template-rendered mapping session keys are now treated as externally supplied routing input and require hooks.allowRequestSessionKey=true plus the existing prefix policy checks.
Fix commit:
5275d008ed33203dba3f98e969ad683a65c416c3
Release
Fixed in OpenClaw 2026.4.20.
References
- WEB https://github.com/openclaw/openclaw/security/advisories/GHSA-2xcp-x87w-q377
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-45002
- WEB https://github.com/openclaw/openclaw/commit/5275d008ed33203dba3f98e969ad683a65c416c3
- PACKAGE https://github.com/openclaw/openclaw
- WEB https://www.vulncheck.com/advisories/openclaw-hook-session-key-bypass-via-template-mapping
Ready to move
Start Securing
Free, no credit card | First findings in minutes