Severity by source
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls.
AnalysisAI
OpenClaw before 2026.4.20 allows attackers to bypass the hooks.allowRequestSessionKey opt-in restriction via template-rendered session keys in hook mappings, circumventing webhook routing isolation controls. The vulnerability enables externally influenced session keys to be rendered through templated hook mappings even when the opt-in is disabled, affecting webhook routing isolation but not enabling host execution. Vendor-released patch available (version 2026.4.20); no public exploit code identified at time of analysis.
Technical ContextAI
OpenClaw is a webhook gateway that implements session-key-based routing isolation through the hooks.allowRequestSessionKey configuration gate. When disabled (default: false), the setting should prevent /hooks/agent callers from specifying arbitrary session keys. However, the vulnerability stems from inconsistent handling of session keys: static mapping keys were properly gated, but template-rendered keys (e.g., sessionKey: "hook:gmail:{{messages[0].id}}") bypassed the authentication check. The root cause (CWE-863: Incorrect Authorization) is that the code failed to apply the same allowRequestSessionKey validation to template-rendered values as to request-supplied keys. The fix treats template-derived session keys as externally supplied routing input, subjecting them to both the allowRequestSessionKey gate and allowedSessionKeyPrefixes prefix policy checks. This affects the npm package 'openclaw' with affected versions < 2026.4.20.
RemediationAI
Upgrade to OpenClaw version 2026.4.20 or later immediately; this is the primary vendor-released patch addressing the vulnerability. The patch enforces the allowRequestSessionKey gate on template-rendered mapping sessionKeys in addition to request-supplied keys. For organizations unable to immediately upgrade, a compensating control is to avoid using templated sessionKey values in hook mappings and instead use static keys (e.g., replace sessionKey: "hook:gmail:{{messages[0].id}}" with a fixed value like sessionKey: "hook:gmail:static"); this prevents the bypass but removes per-message routing granularity. Alternatively, enable hooks.allowRequestSessionKey=true AND strictly configure hooks.allowedSessionKeyPrefixes to an allowlist of expected prefixes (e.g., ["hook:", "hook:gmail:"]) to constrain which session keys can be injected; this mitigates the bypass but increases attack surface unless callers are fully trusted. Review the GitHub Security Advisory and configuration documentation at https://github.com/openclaw/openclaw/security/advisories/GHSA-2xcp-x87w-q377 for detailed remediation guidance.
Auth bypass in OpenClaw voice-call extension before 2026.2.1. EPSS 0.68%. PoC and patch available.
Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access b
OpenClaw versions 2026.2.22 through 2026.2.24 contain a privilege escalation vulnerability that allows authenticated att
An authorization mismatch vulnerability in OpenClaw versions prior to 2026.3.1 allows authenticated users with operator.
OpenClaw versions prior to 2026.1.29 automatically establish WebSocket connections to attacker-controlled gateway URLs e
Path traversal in OpenClaw through version 2026.3.23 enables unauthenticated remote attackers to read arbitrary files in
OpenClaw sandbox browser functionality launches x11vnc for noVNC observer sessions without requiring authentication, all
OpenClaw versions before 2026.2.26 allow authenticated attackers to write arbitrary files outside the workspace director
OpenClaw versions prior to 2026.2.22 contain a shell environment variable injection vulnerability in the system.run func
OpenClaw versions prior to 2026.2.22 contain a resource exhaustion vulnerability where the application fails to consiste
OpenClaw versions prior to 2026.3.1 contain a sandbox escape vulnerability that allows authenticated attackers with low
OpenClaw versions 2026.1.30 and below fail to validate Telegram webhook secret tokens when `channels.telegram.webhookSec
Same weakness CWE-863 – Incorrect Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29147
GHSA-9j32-3m66-mc4m