OpenClaw Hook Session-Key Bypass Vulnerability

A session-key bypass vulnerability has been identified in OpenClaw versions prior to 2026.4.20. This vulnerability allows attackers to circumvent the 'hooks.allowRequestSessionKey' opt-in restriction by using templated hook mappings to create externally influenced session keys. As a result, the vulnerability bypasses webhook routing isolation controls, potentially leading to unauthorized access or actions within the application.

Impact

Exploitation of this vulnerability allows for the bypass of session-key routing controls, enabling unauthorized manipulation of webhook interactions. While this does not directly allow for code execution, it disrupts intended routing isolations, which could be leveraged for further exploitation.

Reproduction

To reproduce this vulnerability, create a hook mapping that uses a template to generate a session key. Ensure that 'hooks.allowRequestSessionKey' is set to false. When the mapping is invoked, the generated session key will bypass the routing controls, demonstrating the vulnerability.

Remediation

Users can update to OpenClaw version 2026.4.20 or later, where this vulnerability has been patched. For those using version 2026.4.20, no action is needed as the issue is already resolved.