CVE-2026-29606

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14

Description The software contains a webhook signature-verification bypass in the voice-call extension. This allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is enabled. An external attacker can send forged requests to the publicly reachable webhook endpoint without a valid X-Twilio-Signature header, resulting in unauthorized webhook event handling and potential request flooding attacks. The issue is limited to configurations where the voice-call extension is enabled and the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled, making the webhook reachable.

Recommendations Update to version 2026.2.14 or later.