Listen to this Post
In affected versions of OpenClaw, the optional `@openclaw/voice-call` plugin contains a vulnerability in its Telnyx webhook handler . This handler is designed to receive and process events from Telnyx, such as incoming call notifications. Telnyx webhooks are expected to be authenticated using Ed25519 signature verification to ensure they are genuine. However, in versions prior to 2026.2.14, the `TelnyxProvider.verifyWebhook()` function had a critical flaw . If the `telnyx.publicKey` (or the `TELNYX_PUBLIC_KEY` environment variable) was not configured by the OpenClaw administrator, the verification check would effectively “fail open.” This means that instead of rejecting the request due to a missing configuration, it would treat any HTTP POST request sent to the webhook endpoint as a legitimate, verified Telnyx event . Consequently, an unauthenticated attacker who can reach this endpoint (for instance, if the OpenClaw instance is exposed to the internet) could forge arbitrary Telnyx events. This could lead to unauthorized actions within the voice-call plugin, potentially disrupting service or triggering unintended functions . The vulnerability has been assigned CVE-2026-26319 with a CVSS score of 7.5 (High) . The fix, implemented in commit 29b587e, makes the verification “fail closed” by default, strictly requiring the public key to be configured for any verification to occur .
Platform: OpenClaw (npm)
Version: ≤ 2026.2.13
Vulnerability: Auth bypass
Severity: High
date: Feb 17, 2026
Prediction: Patch 2026.2.14
What Undercode Say:
Analytics
Check installed OpenClaw version npm list openclaw Check if voice-call plugin is installed ls node_modules/@openclaw/voice-call Check configuration for missing Telnyx public key cat config/default.json | grep -A5 '"telnyx"' | grep 'publicKey' grep -r "TELNYX_PUBLIC_KEY" .env Example of vulnerable code pattern (simulated) grep -r "verifyWebhook" node_modules/@openclaw/voice-call/
Exploit
An attacker could forge a Telnyx event with a simple curl command
if the target's public key is not configured.
curl -X POST https://target-openclaw.com/api/webhooks/telnyx-voice \
-H "Content-Type: application/json" \
-d '{"event_type": "call.missed", "payload": {"call_control_id": "attacker-controlled"}}'
Protection
1. IMMEDIATELY update the package to the patched version npm install [email protected] 2. If unable to update, manually configure the Telnyx public key Add to your OpenClaw configuration file (e.g., config/default.json) cat <<EOF >> config/default.json { "plugins": { "entries": { "voice-call": { "config": { "telnyx": { "publicKey": "YOUR_ACTUAL_TELNYX_PUBLIC_KEY" } } } } } } EOF 3. Alternatively, set the environment variable export TELNYX_PUBLIC_KEY="your-actual-public-key-here" 4. Ensure 'skipSignatureVerification' is false in production grep -r "skipSignatureVerification" node_modules/@openclaw/voice-call/
Impact
- Unauthenticated attackers forge valid Telnyx events.
- Allows manipulation of voice call states without a signature .
- CVSS 7.5 High, enabling data manipulation or DoS .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

