CVE-2026-45002: OpenClaw < 2026.4.20 - Hook Session-Key Bypass via Template Mapping
Published May 11, 2026
·Updated
OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls.
Affected Software
2 affected components
OpenClaw OpenClaw<2026.4.20
OpenClaw Openclaw Node.js<2026.4.20
Remediation
Event History
May 11, 2026
CVE Published
via MITRE·04:46 PM
Data Sourced
via MITRE·04:46 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·06:16 PM
RemedyDescriptionSeverityWeaknessAffected Software
Frequently Asked Questions
1
What is the severity of CVE-2026-45002?
CVE-2026-45002 is considered a high severity vulnerability due to its impact on session security.
2
How do I fix CVE-2026-45002?
To fix CVE-2026-45002, upgrade OpenClaw to version 2026.4.20 or later.
3
What are the risks associated with CVE-2026-45002?
The risks of CVE-2026-45002 include unauthorized access and manipulation of session keys.
4
Who is affected by CVE-2026-45002?
Any user running OpenClaw versions prior to 2026.4.20 is affected by CVE-2026-45002.
5
What kind of vulnerability is CVE-2026-45002?
CVE-2026-45002 is a hook session-key bypass vulnerability that can be exploited through template mapping.