PT-2026-39691 · Openclaw · Openclaw
Keensecuritylab
+1
·
Published
2026-04-25
·
Updated
2026-05-11
·
CVE-2026-45002
CVSS v4.0
6.3
Medium
| Vector | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
OpenClaw versions prior to 2026.4.20
Description
A hook session-key bypass allows attackers to circumvent the
hooks.allowRequestSessionKey opt-in restriction. By using templated hook mappings, attackers can render externally influenced session keys to bypass webhook routing isolation controls.Recommendations
Update to version 2026.4.20 or later.
Exploit
Fix
IDOR
Incorrect Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Openclaw