Skip to main content
Live Webinar with SANS (June 25)— Agentic CTI Automation for Fun & ProfitRegister Free
Mallory
Back to vulnerabilities
High

Authentication Bypass in OpenClaw @openclaw/voice-call Telnyx Webhook Verification

IdentifiersCVE-2026-26319CWE-306· Missing Authentication for…

CVE-2026-26319 affects OpenClaw versions 2026.2.13 and earlier in deployments using the optional @openclaw/voice-call plugin. The vulnerability is in the Telnyx webhook handling path, where inbound webhook requests are expected to be authenticated using Ed25519 signature verification. In affected versions, TelnyxProvider.verifyWebhook() could effectively fail open when telnyx.publicKey was not configured, causing the application to accept unsigned inbound webhook requests as if they were legitimate Telnyx events. As a result, arbitrary HTTP POST requests sent to the voice-call webhook endpoint could be processed as trusted Telnyx-originated events. The issue only affects deployments where the Voice Call plugin is installed and enabled and where the webhook endpoint is reachable by an attacker, such as when exposed through a public tunnel or proxy. The vulnerability was fixed in OpenClaw version 2026.2.14.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

An unauthenticated attacker able to reach the exposed voice-call webhook endpoint can forge Telnyx webhook events without possessing a valid Telnyx signing key or generating a valid Ed25519 signature. This can allow unauthorized triggering of call-related or workflow actions that depend on webhook events, undermining trust in the telephony integration and enabling authentication bypass at the webhook boundary. The precise downstream impact depends on how the affected deployment processes Telnyx events, but it includes unauthorized event injection into the voice-call workflow.

Mitigation

If you can’t patch tonight, do this now.

Configure Telnyx webhook signature verification by setting telnyx.publicKey or TELNYX_PUBLIC_KEY in all environments handling real traffic. Do not use skipSignatureVerification in production; if present, reserve it strictly for local development and testing. Reduce exposure of the voice-call webhook endpoint by avoiding unnecessary public tunnels or proxies and by restricting inbound access to trusted sources where possible.

Remediation

Patch, then assume compromise.

Upgrade OpenClaw to version 2026.2.14 or later, which fixes the fail-open behavior in the Telnyx webhook verification path. Additionally, ensure the Telnyx public key is properly configured via plugins.entries.voice-call.config.telnyx.publicKey or the TELNYX_PUBLIC_KEY environment variable so webhook signature verification is enforced. Do not rely on deployments where signature verification can be bypassed due to missing configuration.
PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
OpenclawOpenclawapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

5 SOURCESView more in app
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity3

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2026-26319
NVD
nvd.nist.gov/vuln/detail/CVE-2026-26319
MITRE CWE · CWE-306
Missing Authentication for Critical Function
Patch
github.com/openclaw/openclaw/commit/29b587e73cbdc941caec573facd16e87d52f007b
Patch
github.com/openclaw/openclaw/commit/f47584fec86d6d73f2d483043a2ad0e7e3c50411
Vendor Advisory
github.com/openclaw/openclaw/security/advisories/GHSA-4hg8-92x6-h2f3
Release Notes
github.com/openclaw/openclaw/releases/tag/v2026.2.14