OpenClaw prior to version 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls. This flaw can potentially allow an attacker to manipulate or impersonate webhook traffic, undermining the integrity and confidentiality of webhook data transmitted by the application.

All installations of OpenClaw running a version older than 2026.4.20 are affected. This includes any deployment where the OpenClaw application is exposing webhook functionality and supporting template-based hook mappings.

The CVSS score of 6.3 indicates a moderate level of severity. No EPSS score is available and the vulnerability is not listed in the CISA KEV catalog, suggesting limited publicly known exploitation. The likely attack vector involves interaction with the webhook routing interface, where an attacker must supply a crafted template mapping that references an externally influenced session key. Privileges required for the attack are not explicitly defined in the description; however, it is inferred that access to create or modify hook mappings is necessary. The absence of an official workaround further emphasizes the need to address the issue through patching or stricter access controls.