PT-2026-39691 · Openclaw · Openclaw

Keensecuritylab

+1

·

Published

2026-04-25

·

Updated

2026-05-11

·

CVE-2026-45002

CVSS v4.0

6.3

Medium

VectorAV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.4.20
Description A hook session-key bypass allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. By using templated hook mappings, attackers can render externally influenced session keys to bypass webhook routing isolation controls.
Recommendations Update to version 2026.4.20 or later.

Exploit

Fix

IDOR

Incorrect Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45002
GHSA-2XCP-X87W-Q377
GHSA-9J32-3M66-MC4M

Affected Products

Openclaw