OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls.
CVE-2026-45002
MEDIUMNVD 5.35.3—
EchelonGraph scoreMEDIUM confidence
This medium-severity CVE scores 5.3 under NVD CVSS v3. EPSS exploit probability: 0.0%, top 89% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).
Triggered by: NVD CVSS baseline
Sources: epss, nvd
5.3
- CVSS v3
- 5.3
- EG Score
- 5.3(medium)
- EPSS
- 10.5%
- KEV
- Not listed
Published
May 11, 2026
Last Modified
May 13, 2026
References (3)
- disclosure@vulncheckhttps://github.com/openclaw/openclaw/commit/5275d008ed33203dba3f98e969ad683a65c416c3
- disclosure@vulncheckhttps://github.com/openclaw/openclaw/security/advisories/GHSA-2xcp-x87w-q377
- disclosure@vulncheckhttps://www.vulncheck.com/advisories/openclaw-hook-session-key-bypass-via-template-mapping
Frequently asked(5)
What is CVE-2026-45002?
CVE-2026-45002 is a medium vulnerability published on May 11, 2026. OpenClaw before 2026.4.20 contains a hook session-key bypass vulnerability that allows attackers to circumvent the hooks.allowRequestSessionKey opt-in restriction. Attackers can render externally influenced session keys through templated hook mappings to bypass webhook routing isolation controls.
When was CVE-2026-45002 disclosed?
CVE-2026-45002 was first published in the National Vulnerability Database on May 11, 2026, with the most recent update on May 13, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-45002 actively exploited?
CVE-2026-45002 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 10.5% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-45002?
CVE-2026-45002 has a CVSS v3 base score of 5.3 (NVD).
How do I remediate CVE-2026-45002?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-45002, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.
Dependency Blast Radius
See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-45002
Is Your Infrastructure Affected by CVE-2026-45002?
EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.