Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.5
OpenClaw Telnyx Plugin Missing Authentication for Calls
CVE-2026-26319
GHSA-4hg8-92x6-h2f3
Summary
If you use the OpenClaw Telnyx plugin, you may be at risk of accepting fake requests from unknown sources. This happens when the plugin is installed, enabled, and exposed to the public internet without a valid Telnyx public key. To fix this, make sure you configure the Telnyx public key in your OpenClaw setup, and consider updating to a fixed version of OpenClaw (2026.2.14 or later) if you haven't already.
What to do
- Update steipete openclaw to version 2026.2.14.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| steipete | openclaw | <= 2026.2.14 | 2026.2.14 |
| openclaw | openclaw | <= 2026.2.14 | – |
Original title
OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests
Original description
## Summary
In affected versions, OpenClaw's optional `@openclaw/voice-call` plugin Telnyx webhook handler could accept unsigned inbound webhook requests when `telnyx.publicKey` was not configured, allowing unauthenticated callers to forge Telnyx events.
This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy).
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.13`
- Fixed: `>= 2026.2.14` (planned)
## Details
Telnyx webhooks are expected to be authenticated via Ed25519 signature verification.
In affected versions, `TelnyxProvider.verifyWebhook()` could effectively fail open when no Telnyx public key was configured, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events.
## Fix
The fix makes Telnyx webhook verification fail closed by default and requires `telnyx.publicKey` (or `TELNYX_PUBLIC_KEY`) to be configured.
A signature verification bypass exists only for local development via `skipSignatureVerification: true`, which is off by default, emits a loud startup warning, and should not be used in production.
This requirement is documented in the Voice Call plugin docs.
## Fix Commit(s)
- `29b587e73cbdc941caec573facd16e87d52f007b`
- `f47584fec` (centralized verification helper + stronger tests)
## Workarounds
- Configure `plugins.entries.voice-call.config.telnyx.publicKey` (or `TELNYX_PUBLIC_KEY`) to enable signature verification.
- Only for local development: set `skipSignatureVerification: true`.
Thanks @p80n-sec for reporting.
In affected versions, OpenClaw's optional `@openclaw/voice-call` plugin Telnyx webhook handler could accept unsigned inbound webhook requests when `telnyx.publicKey` was not configured, allowing unauthenticated callers to forge Telnyx events.
This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy).
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected: `<= 2026.2.13`
- Fixed: `>= 2026.2.14` (planned)
## Details
Telnyx webhooks are expected to be authenticated via Ed25519 signature verification.
In affected versions, `TelnyxProvider.verifyWebhook()` could effectively fail open when no Telnyx public key was configured, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events.
## Fix
The fix makes Telnyx webhook verification fail closed by default and requires `telnyx.publicKey` (or `TELNYX_PUBLIC_KEY`) to be configured.
A signature verification bypass exists only for local development via `skipSignatureVerification: true`, which is off by default, emits a loud startup warning, and should not be used in production.
This requirement is documented in the Voice Call plugin docs.
## Fix Commit(s)
- `29b587e73cbdc941caec573facd16e87d52f007b`
- `f47584fec` (centralized verification helper + stronger tests)
## Workarounds
- Configure `plugins.entries.voice-call.config.telnyx.publicKey` (or `TELNYX_PUBLIC_KEY`) to enable signature verification.
- Only for local development: set `skipSignatureVerification: true`.
Thanks @p80n-sec for reporting.
nvd CVSS3.1
7.5
Vulnerability type
CWE-306
Missing Authentication for Critical Function
- https://github.com/openclaw/openclaw/security/advisories/GHSA-4hg8-92x6-h2f3 Mitigation Vendor Advisory
- https://nvd.nist.gov/vuln/detail/CVE-2026-26319
- https://github.com/advisories/GHSA-4hg8-92x6-h2f3
- https://github.com/openclaw/openclaw/commit/29b587e73cbdc941caec573facd16e87d52f... Patch
- https://github.com/openclaw/openclaw/commit/f47584fec86d6d73f2d483043a2ad0e7e3c5... Patch
- https://github.com/openclaw/openclaw/releases/tag/v2026.2.14 Product Release Notes
Published: 17 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026