Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
3.7
OpenClaw's voice-call webhook can accept fake requests
GHSA-gcj7-r3hg-m7w6
Summary
OpenClaw's voice-call webhook can accept fake requests if an attacker has a valid signed request and manipulates the idempotency header. This allows the attacker to make the system think the request is new, even if it has been sent before. To fix this, OpenClaw has updated their security to use verified identities instead of mutable headers. If you're using OpenClaw's voice-call webhook, update to the latest version to stay secure.
What to do
- Update openclaw to version 2026.2.26.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.2.25 | 2026.2.26 |
Original title
OpenClaw's voice-call Twilio replay dedupe now bound to authenticated webhook identity
Original description
### Summary
The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata (`i-twilio-idempotency-token`), enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.25` (latest published npm version at triage time)
- Fixed on `main`: commit `1aadf26f9acc399affabd859937a09468a9c5cb4`
- Planned patched npm version: `2026.2.26`
### Impact
Deployments using the optional `voice-call` Twilio webhook path could accept replayed webhook events as fresh events when an attacker had one valid signed request and changed only the unsigned idempotency header.
### Technical Details
The fix removes unsigned-header trust from Twilio replay/dedupe identity and binds replay/manager dedupe to authenticated request material. It also threads a verified request identity through provider parsing so dedupe uses verification-derived identity rather than mutable headers.
### Fix Commit(s)
- `1aadf26f9acc399affabd859937a09468a9c5cb4`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.26`). After the npm release is published, this advisory can be published without additional version-field edits.
OpenClaw thanks @tdjackey for reporting.
The voice-call Twilio webhook path accepted replay/dedupe identity from unsigned request metadata (`i-twilio-idempotency-token`), enabling replayed signed requests to bypass replay detection and manager dedupe by mutating only that header.
### Affected Packages / Versions
- Package: `openclaw` (npm)
- Affected versions: `<= 2026.2.25` (latest published npm version at triage time)
- Fixed on `main`: commit `1aadf26f9acc399affabd859937a09468a9c5cb4`
- Planned patched npm version: `2026.2.26`
### Impact
Deployments using the optional `voice-call` Twilio webhook path could accept replayed webhook events as fresh events when an attacker had one valid signed request and changed only the unsigned idempotency header.
### Technical Details
The fix removes unsigned-header trust from Twilio replay/dedupe identity and binds replay/manager dedupe to authenticated request material. It also threads a verified request identity through provider parsing so dedupe uses verification-derived identity rather than mutable headers.
### Fix Commit(s)
- `1aadf26f9acc399affabd859937a09468a9c5cb4`
### Release Process Note
`patched_versions` is pre-set to the planned next release (`2026.2.26`). After the npm release is published, this advisory can be published without additional version-field edits.
OpenClaw thanks @tdjackey for reporting.
ghsa CVSS3.1
3.7
Vulnerability type
CWE-294
CWE-345
Published: 3 Mar 2026 · Updated: 7 Mar 2026 · First seen: 6 Mar 2026