Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
1.7
Telnyx Webhook Signature Bypass in OpenClaw
GHSA-37v6-fxx8-xjmx
Summary
A security issue in the OpenClaw package allows attackers to bypass verification of Telnyx webhooks, potentially allowing malicious requests to be treated as legitimate. This could lead to unauthorized access to sensitive information or actions. Update OpenClaw to version 2026.3.31 or later to fix this issue.
What to do
- Update openclaw to version 2026.3.31.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | openclaw | <= 2026.3.28 | 2026.3.31 |
Original title
OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding
Original description
## Summary
Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding
## Current Maintainer Triage
- Status: narrow
- Normalized severity: low
- Assessment: Shipped v2026.3.28 replay hashing treated equivalent Telnyx Base64/Base64URL signatures as distinct requests, but signature verification still held, so lower to low.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `ad77666054651c1fd77b1dc60fd6a8db6600a29a` — 2026-03-30T20:01:43+01:00
## Release Process Note
- The fix is already present in released version `2026.3.31`.
- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.
OpenClaw thanks @AntAISecurityLab for reporting.
Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding
## Current Maintainer Triage
- Status: narrow
- Normalized severity: low
- Assessment: Shipped v2026.3.28 replay hashing treated equivalent Telnyx Base64/Base64URL signatures as distinct requests, but signature verification still held, so lower to low.
## Affected Packages / Versions
- Package: `openclaw` (npm)
- Latest published npm version: `2026.3.31`
- Vulnerable version range: `<=2026.3.28`
- Patched versions: `>= 2026.3.31`
- First stable tag containing the fix: `v2026.3.31`
## Fix Commit(s)
- `ad77666054651c1fd77b1dc60fd6a8db6600a29a` — 2026-03-30T20:01:43+01:00
## Release Process Note
- The fix is already present in released version `2026.3.31`.
- This draft looks ready for final maintainer disposition or publication, not additional code-fix work.
OpenClaw thanks @AntAISecurityLab for reporting.
ghsa CVSS4.0
1.7
Vulnerability type
CWE-294
Published: 3 Apr 2026 · Updated: 3 Apr 2026 · First seen: 3 Apr 2026