CVE-2026-26319
Received Received - Intake
Unauthenticated Webhook Acceptance in OpenClaw Voice-Call Plugin

Publication date: 2026-02-19

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are expected to be authenticated via Ed25519 signature verification. In affected versions, TelnyxProvider.verifyWebhook() could effectively fail open when no Telnyx public key was configured, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events. This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy). The issue has been fixed in version 2026.2.14.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-20
EPSS Evaluated
2026-06-14
NVD
CVE-2026-26319
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
openclaw openclaw to 2026.2.14 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-306 The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects OpenClaw versions 2026.2.13 and below when using the optional @openclaw/voice-call plugin with the Telnyx webhook handler. If the telnyx.publicKey is not configured, the webhook handler accepts unsigned inbound webhook requests. This means unauthenticated callers can forge Telnyx events because the expected Ed25519 signature verification is effectively bypassed. The verification function TelnyxProvider.verifyWebhook() fails open, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events.

This vulnerability only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable by an attacker, such as when it is publicly exposed via a tunnel or proxy. The issue was fixed in version 2026.2.14.

Impact Analysis

This vulnerability allows unauthenticated attackers to send forged Telnyx webhook events to the OpenClaw voice-call webhook endpoint. This can lead to unauthorized actions being triggered within the system that relies on these webhook events.

Since the vulnerability allows arbitrary HTTP POST requests to be accepted as legitimate events, it could be exploited to manipulate voice call functionalities or other features relying on these events, potentially causing service disruption or misuse.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by checking if the OpenClaw deployment is running version 2026.2.13 or below and if the @openclaw/voice-call plugin is installed and enabled.

Additionally, you should verify whether the Telnyx webhook handler is configured with a telnyx.publicKey. If this key is missing, the webhook endpoint may accept unsigned inbound webhook requests.

To detect potential exploitation attempts on your system, monitor HTTP POST requests to the voice-call webhook endpoint that are not signed or lack proper Ed25519 signature verification.

Specific commands are not provided in the available information.

Mitigation Strategies

Immediate mitigation steps include upgrading OpenClaw to version 2026.2.14 or later, where the issue has been fixed.

If upgrading is not immediately possible, ensure that the telnyx.publicKey configuration is properly set to enable Ed25519 signature verification for inbound Telnyx webhook requests.

Also, restrict access to the voice-call webhook endpoint to trusted sources or networks to prevent unauthenticated external access.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26319. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart