OpenClaw, Authentication Bypass, CVE-2026-26319 (High)

Listen to this Post

In affected versions of OpenClaw, the optional `@openclaw/voice-call` plugin contains a vulnerability in its Telnyx webhook handler . This handler is designed to receive and process events from Telnyx, such as incoming call notifications. Telnyx webhooks are expected to be authenticated using Ed25519 signature verification to ensure they are genuine. However, in versions prior to 2026.2.14, the `TelnyxProvider.verifyWebhook()` function had a critical flaw . If the `telnyx.publicKey` (or the `TELNYX_PUBLIC_KEY` environment variable) was not configured by the OpenClaw administrator, the verification check would effectively “fail open.” This means that instead of rejecting the request due to a missing configuration, it would treat any HTTP POST request sent to the webhook endpoint as a legitimate, verified Telnyx event . Consequently, an unauthenticated attacker who can reach this endpoint (for instance, if the OpenClaw instance is exposed to the internet) could forge arbitrary Telnyx events. This could lead to unauthorized actions within the voice-call plugin, potentially disrupting service or triggering unintended functions . The vulnerability has been assigned CVE-2026-26319 with a CVSS score of 7.5 (High) . The fix, implemented in commit 29b587e, makes the verification “fail closed” by default, strictly requiring the public key to be configured for any verification to occur .
Platform: OpenClaw (npm)
Version: ≤ 2026.2.13
Vulnerability: Auth bypass
Severity: High
date: Feb 17, 2026

Prediction: Patch 2026.2.14

What Undercode Say:

Analytics

Check installed OpenClaw version
npm list openclaw
Check if voice-call plugin is installed
ls node_modules/@openclaw/voice-call
Check configuration for missing Telnyx public key
cat config/default.json | grep -A5 '"telnyx"' | grep 'publicKey'
grep -r "TELNYX_PUBLIC_KEY" .env
Example of vulnerable code pattern (simulated)
grep -r "verifyWebhook" node_modules/@openclaw/voice-call/

Exploit

An attacker could forge a Telnyx event with a simple curl command
if the target's public key is not configured.
curl -X POST https://target-openclaw.com/api/webhooks/telnyx-voice \
-H "Content-Type: application/json" \
-d '{"event_type": "call.missed", "payload": {"call_control_id": "attacker-controlled"}}'

Protection

1. IMMEDIATELY update the package to the patched version
npm install [email protected]
2. If unable to update, manually configure the Telnyx public key
Add to your OpenClaw configuration file (e.g., config/default.json)
cat <<EOF >> config/default.json
{
"plugins": {
"entries": {
"voice-call": {
"config": {
"telnyx": {
"publicKey": "YOUR_ACTUAL_TELNYX_PUBLIC_KEY"
}
}
}
}
}
}
EOF
3. Alternatively, set the environment variable
export TELNYX_PUBLIC_KEY="your-actual-public-key-here"
4. Ensure 'skipSignatureVerification' is false in production
grep -r "skipSignatureVerification" node_modules/@openclaw/voice-call/

Impact

  • Unauthenticated attackers forge valid Telnyx events.
  • Allows manipulation of voice call states without a signature .
  • CVSS 7.5 High, enabling data manipulation or DoS .

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top