CVE-2026-26319

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14

Description The OpenClaw software, when using the @openclaw/voice-call plugin, is susceptible to an authentication bypass. Specifically, the Telnyx webhook handler could accept unsigned inbound webhook requests if the telnyx.publicKey configuration was not set. This allows unauthenticated callers to potentially forge Telnyx events. The issue occurs because the TelnyxProvider.verifyWebhook() function could fail open when no Telnyx public key was configured, treating arbitrary HTTP POST requests as legitimate Telnyx events. The vulnerability is present only when the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from an attacker. A signature verification bypass exists only for local development via skipSignatureVerification: true, which is off by default and emits a warning.

Recommendations Configure plugins.entries.voice-call.config.telnyx.publicKey (or TELNYX PUBLIC KEY) to enable signature verification.