GHSA-hv93-r4j3-q65f: OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing

February 17, 2026

The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied sessionKey values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions.

References

github.com/advisories/GHSA-hv93-r4j3-q65f
github.com/openclaw/openclaw
github.com/openclaw/openclaw/commit/113ebfd6a23c4beb8a575d48f7482593254506ec
github.com/openclaw/openclaw/releases/tag/v2026.2.12
github.com/openclaw/openclaw/security/advisories/GHSA-hv93-r4j3-q65f

Code Behaviors & Features

Detect and mitigate GHSA-hv93-r4j3-q65f with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →