GHSA-HV93-R4J3-Q65F
Vulnerability from github – Published: 2026-02-17 16:43 – Updated: 2026-02-17 16:43
VLAI
Summary
OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing
Details
Summary
The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied sessionKey values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions.
Affected Behavior
POST /hooks/agentaccepted payloadsessionKeyand used it directly for session routing.- Common session-key shapes (for example
agent:main:dm:<peerId>) were often derivable from known metadata, making targeted routing practical when request-level override was enabled.
Attack Preconditions
- Attacker can call hook endpoints with a valid hook token.
- Hook ingress allows request-selected
sessionKeyvalues. - Target session keys can be derived or guessed.
Without those preconditions, deterministic key formats alone do not provide access.
Impact
- Integrity: targeted message/prompt injection into chosen sessions.
- Persistence: poisoned context can affect subsequent turns when the same session key is reused.
- Confidentiality impact is secondary and depends on additional weaknesses.
Affected Versions
openclaw>= 2.0.0-beta3and< 2026.2.12
Patched Versions
openclaw>= 2026.2.12
Fix
OpenClaw now uses secure defaults for hook session routing:
- POST /hooks/agent rejects payload sessionKey unless hooks.allowRequestSessionKey=true.
- Added hooks.defaultSessionKey for fixed ingress routing.
- Added hooks.allowedSessionKeyPrefixes to constrain explicit routing keys.
- Security audit warns on unsafe hook session-routing settings.
Recommended Configuration
{
"hooks": {
"enabled": true,
"token": "${OPENCLAW_HOOKS_TOKEN}",
"defaultSessionKey": "hook:ingress",
"allowRequestSessionKey": false,
"allowedSessionKeyPrefixes": ["hook:"]
}
}
Credit
Thanks @alpernae for responsible reporting.
Severity
7.1 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "openclaw"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0-beta3"
},
{
"fixed": "2026.2.12"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-330",
"CWE-639"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-17T16:43:34Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "## Summary\nThe issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied `sessionKey` values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions.\n\n## Affected Behavior\n- `POST /hooks/agent` accepted payload `sessionKey` and used it directly for session routing.\n- Common session-key shapes (for example `agent:main:dm:\u003cpeerId\u003e`) were often derivable from known metadata, making targeted routing practical when request-level override was enabled.\n\n## Attack Preconditions\n- Attacker can call hook endpoints with a valid hook token.\n- Hook ingress allows request-selected `sessionKey` values.\n- Target session keys can be derived or guessed.\n\nWithout those preconditions, deterministic key formats alone do not provide access.\n\n## Impact\n- Integrity: targeted message/prompt injection into chosen sessions.\n- Persistence: poisoned context can affect subsequent turns when the same session key is reused.\n- Confidentiality impact is secondary and depends on additional weaknesses.\n\n## Affected Versions\n- `openclaw` `\u003e= 2.0.0-beta3` and `\u003c 2026.2.12`\n\n## Patched Versions\n- `openclaw` `\u003e= 2026.2.12`\n\n## Fix\nOpenClaw now uses secure defaults for hook session routing:\n- `POST /hooks/agent` rejects payload `sessionKey` unless `hooks.allowRequestSessionKey=true`.\n- Added `hooks.defaultSessionKey` for fixed ingress routing.\n- Added `hooks.allowedSessionKeyPrefixes` to constrain explicit routing keys.\n- Security audit warns on unsafe hook session-routing settings.\n\n## Recommended Configuration\n```json\n{\n \"hooks\": {\n \"enabled\": true,\n \"token\": \"${OPENCLAW_HOOKS_TOKEN}\",\n \"defaultSessionKey\": \"hook:ingress\",\n \"allowRequestSessionKey\": false,\n \"allowedSessionKeyPrefixes\": [\"hook:\"]\n }\n}\n```\n\n## Credit\nThanks @alpernae for responsible reporting.",
"id": "GHSA-hv93-r4j3-q65f",
"modified": "2026-02-17T16:43:34Z",
"published": "2026-02-17T16:43:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/commit/113ebfd6a23c4beb8a575d48f7482593254506ec"
},
{
"type": "PACKAGE",
"url": "https://github.com/openclaw/openclaw"
},
{
"type": "WEB",
"url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.12"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…