Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.1
OpenClaw Hook Session Key Vulnerability Allows Message Tampering
GHSA-hv93-r4j3-q65f
Summary
OpenClaw versions 2.0.0-beta3 to 2026.2.12 have a security issue that allows an attacker to inject messages into specific sessions. This can happen if an attacker has a valid token and can guess or derive the session key, which can lead to message tampering and potential data corruption. To fix this, update to version 2026.2.12 or later, and review your OpenClaw configuration to ensure secure session key handling.
What to do
- Update steipete openclaw to version 2026.2.12.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | > 2.0.0-beta3 , <= 2026.2.12 | 2026.2.12 |
Original title
OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing
Original description
## Summary
The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied `sessionKey` values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions.
## Affected Behavior
- `POST /hooks/agent` accepted payload `sessionKey` and used it directly for session routing.
- Common session-key shapes (for example `agent:main:dm:<peerId>`) were often derivable from known metadata, making targeted routing practical when request-level override was enabled.
## Attack Preconditions
- Attacker can call hook endpoints with a valid hook token.
- Hook ingress allows request-selected `sessionKey` values.
- Target session keys can be derived or guessed.
Without those preconditions, deterministic key formats alone do not provide access.
## Impact
- Integrity: targeted message/prompt injection into chosen sessions.
- Persistence: poisoned context can affect subsequent turns when the same session key is reused.
- Confidentiality impact is secondary and depends on additional weaknesses.
## Affected Versions
- `openclaw` `>= 2.0.0-beta3` and `< 2026.2.12`
## Patched Versions
- `openclaw` `>= 2026.2.12`
## Fix
OpenClaw now uses secure defaults for hook session routing:
- `POST /hooks/agent` rejects payload `sessionKey` unless `hooks.allowRequestSessionKey=true`.
- Added `hooks.defaultSessionKey` for fixed ingress routing.
- Added `hooks.allowedSessionKeyPrefixes` to constrain explicit routing keys.
- Security audit warns on unsafe hook session-routing settings.
## Recommended Configuration
```json
{
"hooks": {
"enabled": true,
"token": "${OPENCLAW_HOOKS_TOKEN}",
"defaultSessionKey": "hook:ingress",
"allowRequestSessionKey": false,
"allowedSessionKeyPrefixes": ["hook:"]
}
}
```
## Credit
Thanks @alpernae for responsible reporting.
The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied `sessionKey` values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions.
## Affected Behavior
- `POST /hooks/agent` accepted payload `sessionKey` and used it directly for session routing.
- Common session-key shapes (for example `agent:main:dm:<peerId>`) were often derivable from known metadata, making targeted routing practical when request-level override was enabled.
## Attack Preconditions
- Attacker can call hook endpoints with a valid hook token.
- Hook ingress allows request-selected `sessionKey` values.
- Target session keys can be derived or guessed.
Without those preconditions, deterministic key formats alone do not provide access.
## Impact
- Integrity: targeted message/prompt injection into chosen sessions.
- Persistence: poisoned context can affect subsequent turns when the same session key is reused.
- Confidentiality impact is secondary and depends on additional weaknesses.
## Affected Versions
- `openclaw` `>= 2.0.0-beta3` and `< 2026.2.12`
## Patched Versions
- `openclaw` `>= 2026.2.12`
## Fix
OpenClaw now uses secure defaults for hook session routing:
- `POST /hooks/agent` rejects payload `sessionKey` unless `hooks.allowRequestSessionKey=true`.
- Added `hooks.defaultSessionKey` for fixed ingress routing.
- Added `hooks.allowedSessionKeyPrefixes` to constrain explicit routing keys.
- Security audit warns on unsafe hook session-routing settings.
## Recommended Configuration
```json
{
"hooks": {
"enabled": true,
"token": "${OPENCLAW_HOOKS_TOKEN}",
"defaultSessionKey": "hook:ingress",
"allowRequestSessionKey": false,
"allowedSessionKeyPrefixes": ["hook:"]
}
}
```
## Credit
Thanks @alpernae for responsible reporting.
ghsa CVSS3.1
7.1
Vulnerability type
CWE-330
Use of Insufficiently Random Values
CWE-639
Authorization Bypass Through User-Controlled Key
Published: 17 Feb 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026