PT-2026-22435 · Npm · Openclaw
Publicado
2026-02-18
·
Atualizado
2026-02-18
CVSS v4.0
6.3
Média
| Vetor | AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N |
Summary
A Twilio webhook signature-verification bypass in the voice-call extension could allow unauthenticated webhook requests when a specific ngrok free-tier compatibility option is enabled.
Impact
This issue is limited to configurations that explicitly enable and expose the voice-call webhook endpoint.
Not affected by default:
- The voice-call extension is optional and disabled by default.
- The bypass only applied when
tunnel.allowNgrokFreeTierLoopbackBypasswas explicitly enabled. - Exploitation required the webhook to be reachable (typically via a public ngrok URL during development).
Worst case (when exposed and the option was enabled):
- An external attacker could send forged requests to the publicly reachable webhook endpoint that would be accepted without a valid
X-Twilio-Signature. - This could result in unauthorized webhook event handling (integrity) and request flooding (availability).
Affected Packages / Versions
- Package:
openclaw(npm) - Affected versions:
<= 2026.2.13(latest published as of 2026-02-14) - Patched versions:
>= 2026.2.14(planned next release; pending publish)
Fix
allowNgrokFreeTierLoopbackBypass no longer bypasses signature verification. It only enables trusting forwarded headers on loopback so the public ngrok URL can be reconstructed for correct signature validation.Fix commit(s):
- ff11d8793b90c52f8d84dae3fbb99307da51b5c9
Thanks @p80n-sec for reporting.
Correção
Missing Authentication
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Openclaw