What is GHSA-2xcp-x87w-q377?

GHSA-2xcp-x87w-q377 is a security advisory published by GitHub Security Advisories with Medium severity. OpenClaw: Hook mapping templates could bypass hook session-key opt-in

Which CVE IDs does GHSA-2xcp-x87w-q377 cover?

GHSA-2xcp-x87w-q377 covers the following CVE IDs: CVE-2026-45002. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

Which products are affected by GHSA-2xcp-x87w-q377?

GHSA-2xcp-x87w-q377 affects 1 product, including: npm/openclaw:\u003c 2026.4.20.

GHSA-2xcp-x87w-q377Medium

OpenClaw: Hook mapping templates could bypass hook session-key opt-in

Vendor

GitHub Security Advisories

Published

April 25, 2026

Last Modified

May 19, 2026

🔗 CVE IDs covered (1)

CVE-2026-45002 →

📋 Description

Affected Packages / Versions

Package: openclaw (npm)
Affected versions: < 2026.4.20
Patched version: 2026.4.20

Impact

Templated hook mapping sessionKey values were treated differently from request-supplied session keys. A hook mapping could render an externally influenced session key even when hooks.allowRequestSessionKey was disabled, bypassing the intended routing opt-in for hook callers.

This affects webhook routing isolation. It does not grant host execution by itself. Severity is medium.

Fix

Template-rendered mapping session keys are now treated as externally supplied routing input and require hooks.allowRequestSessionKey=true plus the existing prefix policy checks.

Fix commit:

5275d008ed33203dba3f98e969ad683a65c416c3

Release

Fixed in OpenClaw 2026.4.20.

🎯 Affected products1

npm/openclaw:< 2026.4.20