AI Sec Watch: A Security Intelligence Platform for AI Systems

Luu, T.J.

GHSA-hv93-r4j3-q65f: OpenClaw Hook Session Key Override Enables Targeted Cross-Session Routing

highvulnerability

security

Source: GitHub Advisory DatabaseFebruary 17, 2026

Summary

OpenClaw had a vulnerability where its hook endpoint (`POST /hooks/agent`) accepted session keys (identifiers for conversation contexts) directly from user requests, allowing someone with a valid hook token to inject messages into any session they could guess or derive. This could poison conversations with malicious prompts that persist across multiple turns. The vulnerability affected versions 2.0.0-beta3 through 2026.2.11.

Solution / Mitigation

Update to OpenClaw version 2026.2.12 or later. The fix includes: rejecting the `sessionKey` parameter by default unless explicitly enabled with `hooks.allowRequestSessionKey=true`, adding a `hooks.defaultSessionKey` option for fixed routing, and adding `hooks.allowedSessionKeyPrefixes` to restrict which session keys can be used. The recommended secure configuration disables `allowRequestSessionKey`, sets `defaultSessionKey` to "hook:ingress", and restricts prefixes to ["hook:"].

Classification

Attack Type

Prompt Injection

Attack SophisticationModerate

Impact (CIA+S)

integrity

AI Component TargetedAgent

Affected Vendors

Affected Packages

openclaw@>= 2.0.0-beta3, < 2026.2.12 (fixed: 2026.2.12)

Related Issues

high

AI Kill Chain in Action: Devin AI Exposes Ports to the Internet with Prompt Injection

Similar attackEmbrace The Red

medium

CVE-2024-45989: Monica AI Assistant desktop application v2.3.0 is vulnerable to Exposure of Sensitive Information to an Unauthorized Act

First tracked: February 17, 2026 at 02:12 PM

Classified by LLM (prompt v3) · confidence: 85%