GHSA-hv93-r4j3-q65f

Summary

The issue is not deterministic session keys by itself. The exploitable path was accepting externally supplied sessionKey values on authenticated hook ingress, allowing a hook token holder to route messages into chosen sessions.

Affected Behavior

• POST /hooks/agent accepted payload sessionKey and used it directly for session routing.
• Common session-key shapes (for example agent:main:dm:<peerId>) were often derivable from known metadata, making targeted routing practical when request-level override was enabled.

Attack Preconditions

• Attacker can call hook endpoints with a valid hook token.
• Hook ingress allows request-selected sessionKey values.
• Target session keys can be derived or guessed.

Without those preconditions, deterministic key formats alone do not provide access.

Impact

• Integrity: targeted message/prompt injection into chosen sessions.
• Persistence: poisoned context can affect subsequent turns when the same session key is reused.
• Confidentiality impact is secondary and depends on additional weaknesses.

Affected Versions

• openclaw >= 2.0.0-beta3 and < 2026.2.12

Patched Versions

• openclaw >= 2026.2.12

Fix

OpenClaw now uses secure defaults for hook session routing:

• POST /hooks/agent rejects payload sessionKey unless hooks.allowRequestSessionKey=true.
• Added hooks.defaultSessionKey for fixed ingress routing.
• Added hooks.allowedSessionKeyPrefixes to constrain explicit routing keys.
• Security audit warns on unsafe hook session-routing settings.

Recommended Configuration

{
  "hooks": {
    "enabled": true,
    "token": "${OPENCLAW_HOOKS_TOKEN}",
    "defaultSessionKey": "hook:ingress",
    "allowRequestSessionKey": false,
    "allowedSessionKeyPrefixes": ["hook:"]
  }
}

Credit

Thanks @alpernae for responsible reporting.