AI Threat Alert

GHSA-2xcp-x87w-q377: openclaw: session key auth bypass in webhook routing

GHSA-2xcp-x87w-q377 MEDIUM
Published April 25, 2026
CISO Take

OpenClaw's webhook hook mapping engine fails to treat template-rendered session keys as externally-influenced input, allowing an attacker to bypass the `hooks.allowRequestSessionKey=false` routing isolation control by supplying a crafted key through hook mapping templates. The blast radius is currently limited to 4 known downstream dependents, and no public exploit or CISA KEV listing exists — reducing near-term opportunistic risk. However, the same package carries 135 prior CVEs, signaling persistent input-validation debt that warrants skepticism about adjacent code paths in any OpenClaw deployment. Teams should upgrade to version 2026.4.20 immediately and audit all hook mappings that use templated session key values for user-controlled input exposure.

Sources: GitHub Advisory ATLAS

What is the risk?

Medium risk overall. The bypass does not grant host execution by itself, capping direct impact to unauthorized webhook routing rather than full system compromise. Exploitability requires an attacker to influence session key values rendered in hook mapping templates — a moderate sophistication bar that rules out trivial script-kiddie exploitation. The 135 prior CVEs in this package are a strong signal of systemic validation weaknesses; defenders should treat this as one symptom of a broader security posture problem rather than an isolated defect. Limited downstream exposure (4 dependents) reduces supply chain amplification risk, but direct deployments using hook mappings with session key templating are exposed.

How does the attack unfold?

Initial Access
Adversary identifies an OpenClaw deployment with webhook hook mappings that use templated session keys and accepts user-influenced input via a public-facing agent endpoint.
AML.T0049
Authorization Bypass
Adversary crafts a session key value that, when rendered by the hook mapping template engine, is treated as a non-externally-supplied key, bypassing the `allowRequestSessionKey=false` routing guard.
AML.T0049
Unauthorized Routing
Webhook callbacks are redirected through the attacker's crafted session key, crossing session or tenant isolation boundaries to reach an unintended destination.
AML.T0053
Impact
Adversary intercepts AI agent webhook outputs from another session or tenant, or injects malicious responses into the agent's tool invocation chain, enabling data exfiltration or workflow manipulation.
AML.T0086

What systems are affected?

Package Ecosystem Vulnerable Range Patched
OpenClaw npm < 2026.4.20 2026.4.20
4 dependents 36% patched ~3d to patch Full package profile →

Do you use OpenClaw? You're affected.

How severe is it?

CVSS 3.1
N/A
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
Moderate

What should I do?

5 steps

  1. Upgrade openclaw (npm) to version 2026.4.20 or later — this is the primary remediation.

  2. If immediate patching is blocked, audit all hook mapping configurations for templated sessionKey usage that accepts user-controlled input and temporarily disable or harden those mappings.

  3. Explicitly enforce hooks.allowRequestSessionKey=true only where strictly required and document approved callers.

  4. Review webhook routing logs for anomalous session key patterns (unexpected prefixes, format deviations) that may indicate prior exploitation.

  5. Treat the 135 prior CVEs in this package as a signal to assess whether OpenClaw is the right dependency for security-sensitive agent pipelines.

How is it classified?

Auth Bypass Agent Framework AML.T0049 AML.T0053 AML.T0081

Which compliance frameworks are affected?

This CVE is relevant to:

EU AI Act
Article 15 - Accuracy, robustness and cybersecurity
ISO 42001
Annex A, A.6.2 - AI risk treatment — technical controls
NIST AI RMF
MANAGE 2.2 - Mechanisms to sustain effectiveness of AI risk controls
OWASP LLM Top 10
LLM07 - Insecure Plugin Design

Frequently Asked Questions

What is GHSA-2xcp-x87w-q377?

OpenClaw's webhook hook mapping engine fails to treat template-rendered session keys as externally-influenced input, allowing an attacker to bypass the `hooks.allowRequestSessionKey=false` routing isolation control by supplying a crafted key through hook mapping templates. The blast radius is currently limited to 4 known downstream dependents, and no public exploit or CISA KEV listing exists — reducing near-term opportunistic risk. However, the same package carries 135 prior CVEs, signaling persistent input-validation debt that warrants skepticism about adjacent code paths in any OpenClaw deployment. Teams should upgrade to version 2026.4.20 immediately and audit all hook mappings that use templated session key values for user-controlled input exposure.

Is GHSA-2xcp-x87w-q377 actively exploited?

No confirmed active exploitation of GHSA-2xcp-x87w-q377 has been reported, but organizations should still patch proactively.

How to fix GHSA-2xcp-x87w-q377?

1. Upgrade openclaw (npm) to version 2026.4.20 or later — this is the primary remediation. 2. If immediate patching is blocked, audit all hook mapping configurations for templated sessionKey usage that accepts user-controlled input and temporarily disable or harden those mappings. 3. Explicitly enforce `hooks.allowRequestSessionKey=true` only where strictly required and document approved callers. 4. Review webhook routing logs for anomalous session key patterns (unexpected prefixes, format deviations) that may indicate prior exploitation. 5. Treat the 135 prior CVEs in this package as a signal to assess whether OpenClaw is the right dependency for security-sensitive agent pipelines.

What systems are affected by GHSA-2xcp-x87w-q377?

This vulnerability affects the following AI/ML architecture patterns: agent frameworks, webhook integrations, multi-tenant AI orchestration.

What is the CVSS score for GHSA-2xcp-x87w-q377?

No CVSS score has been assigned yet.

What is the AI security impact?

Affected AI Architectures

agent frameworkswebhook integrationsmulti-tenant AI orchestration

MITRE ATLAS Techniques

AML.T0049 Exploit Public-Facing Application
AML.T0053 AI Agent Tool Invocation
AML.T0081 Modify AI Agent Configuration

Compliance Controls Affected

EU AI Act: Article 15
ISO 42001: Annex A, A.6.2
NIST AI RMF: MANAGE 2.2
OWASP LLM Top 10: LLM07

What are the technical details?

Original Advisory

## Affected Packages / Versions - Package: `openclaw` (npm) - Affected versions: `< 2026.4.20` - Patched version: `2026.4.20` ## Impact Templated hook mapping `sessionKey` values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when `hooks.allowRequestSessionKey` was disabled, bypassing the intended routing opt-in for hook callers. This affects webhook routing isolation. It does not grant host execution by itself. Severity is medium. ## Fix Template-rendered mapping session keys are now treated as externally supplied routing input and require `hooks.allowRequestSessionKey=true` plus the existing prefix policy checks. Fix commit: - `5275d008ed33203dba3f98e969ad683a65c416c3` ## Release Fixed in OpenClaw `2026.4.20`.

Exploitation Scenario

An adversary targets a multi-tenant OpenClaw deployment where each tenant's webhook callbacks are session-isolated via `allowRequestSessionKey=false`. The attacker identifies a public-facing AI agent endpoint that reflects user-supplied values into hook mapping templates (e.g., a session identifier derived from a request parameter). By crafting a session key value that, when template-rendered, matches a routing pattern exempt from the externally-supplied-key restriction, the attacker's request bypasses the opt-in guard. Webhook callbacks are now routed through the attacker's crafted session, allowing interception of another tenant's agent outputs or injection of malicious webhook responses into that tenant's agent tool invocation chain.

Weaknesses (CWE)

CWE-639 Authorization Bypass Through User-Controlled Key Primary

CWE-639 — Authorization Bypass Through User-Controlled Key: The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.

  • [Architecture and Design] For each and every data access, ensure that the user has sufficient privilege to access the record that is being requested.
  • [Architecture and Design, Implementation] Make sure that the key that is used in the lookup of a specific user's record is not controllable externally by the user or that any tampering can be detected.

Source: MITRE CWE corpus.

References

Timeline

Published
April 25, 2026
Last Modified
April 25, 2026
First Seen
April 26, 2026

Related Vulnerabilities

CRITICAL CVE-2026-33579 9.9

OpenClaw: scope bypass escalates low-priv to admin

Same package: openclaw
CRITICAL CVE-2026-32922 9.9

OpenClaw: privilege escalation to RCE via token scope bypass

Same package: openclaw
CRITICAL CVE-2026-53838 9.8

OpenClaw: approval scope bypass via reconnection state

Same package: openclaw
CRITICAL CVE-2026-30741 9.8

OpenClaw: RCE via request-side prompt injection

Same package: openclaw
CRITICAL CVE-2026-32038 9.8

Analysis pending

Same package: openclaw
Back to Threat Feed