CVE-2026-26319
Unauthenticated Webhook Acceptance in OpenClaw Voice-Call Plugin
Publication date: 2026-02-19
Last updated on: 2026-02-20
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openclaw | openclaw | to 2026.2.14 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects OpenClaw versions 2026.2.13 and below when using the optional @openclaw/voice-call plugin with the Telnyx webhook handler. If the telnyx.publicKey is not configured, the webhook handler accepts unsigned inbound webhook requests. This means unauthenticated callers can forge Telnyx events because the expected Ed25519 signature verification is effectively bypassed. The verification function TelnyxProvider.verifyWebhook() fails open, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events.
This vulnerability only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable by an attacker, such as when it is publicly exposed via a tunnel or proxy. The issue was fixed in version 2026.2.14.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to send forged Telnyx webhook events to the OpenClaw voice-call webhook endpoint. This can lead to unauthorized actions being triggered within the system that relies on these webhook events.
Since the vulnerability allows arbitrary HTTP POST requests to be accepted as legitimate events, it could be exploited to manipulate voice call functionalities or other features relying on these events, potentially causing service disruption or misuse.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the OpenClaw deployment is running version 2026.2.13 or below and if the @openclaw/voice-call plugin is installed and enabled.
Additionally, you should verify whether the Telnyx webhook handler is configured with a telnyx.publicKey. If this key is missing, the webhook endpoint may accept unsigned inbound webhook requests.
To detect potential exploitation attempts on your system, monitor HTTP POST requests to the voice-call webhook endpoint that are not signed or lack proper Ed25519 signature verification.
Specific commands are not provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading OpenClaw to version 2026.2.14 or later, where the issue has been fixed.
If upgrading is not immediately possible, ensure that the telnyx.publicKey configuration is properly set to enable Ed25519 signature verification for inbound Telnyx webhook requests.
Also, restrict access to the voice-call webhook endpoint to trusted sources or networks to prevent unauthenticated external access.