Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
6.3
OpenClaw voice-call extension allows unauthorized access
CVE-2026-29606
GHSA-c37p-4qqg-3p76
Summary
Versions of OpenClaw prior to 2026.2.14 have a security problem that allows hackers to send fake requests to the voice-call extension without being properly checked. This could lead to unauthorized access and potential attacks on the system. Update to version 2026.2.14 or later to fix this issue.
What to do
- Update steipete openclaw to version 2026.2.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.14 | 2026.2.14 |
| openclaw | openclaw | <= 2026.2.14 | – |
Original title
OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypas...
Original description
OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly reachable webhook endpoint without a valid X-Twilio-Signature header, resulting in unauthorized webhook event handling and potential request flooding attacks.
nvd CVSS3.1
6.5
nvd CVSS4.0
6.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14
- https://nvd.nist.gov/vuln/detail/CVE-2026-29606
- https://github.com/advisories/GHSA-c37p-4qqg-3p76
- https://github.com/openclaw/openclaw/commit/ff11d8793b90c52f8d84dae3fbb99307da51...
- https://github.com/openclaw/openclaw/security/advisories/GHSA-c37p-4qqg-3p76
- https://www.vulncheck.com/advisories/openclaw-webhook-signature-verification-byp...
Published: 5 Mar 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026