Templated hook mapping sessionKey values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when hooks.allowRequestSessionKey was disabled, bypassing the intended routing opt-in for hook callers.

This affects webhook routing isolation. It does not grant host execution by itself. Severity is medium.

Template-rendered mapping session keys are now treated as externally supplied routing input and require hooks.allowRequestSessionKey=true plus the existing prefix policy checks.

Fix commit:

Fixed in OpenClaw 2026.4.20.