OpenClaw: Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding

Summary Telnyx Webhook Replay Detection Bypass via Base64 Signature Re-encoding Current Maintainer Triage - Status: narrow - Normalized severity: low - Assessment: Shipped v2026.3.28 replay hashing treated equivalent Telnyx Base64/Base64URL signatures as distinct requests, but signature...

OpenClaw < 2026.2.14 Multiple Vulnerabilities

The version of the OpenClaw AI assistant installed on the remote host is prior to 2026.2.14. It is, therefore, affected by multiple vulnerabilities, including: - A command injection in the maintainer clawtributors updater script allowed arbitrary command execution via crafted git commit author...

CVE-2026-26319

OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are...

CVE-2026-26319

OpenClaw contains a vulnerability in the optional @openclaw/voice-call Telnyx webhook handler: when telnyx.publicKey is not configured, verification can fail open, allowing unauthenticated HTTP POSTs to be treated as legitimate Telnyx events. Affected versions are 2026.2.13 and earlier; the issue...

CVE-2026-26319 OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Requests

OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are...

CVE-2026-26319 OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Requests

OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are...

CVE-2026-26319 OpenClaw has Missing Webhook Authentication in Telnyx Provider Allowing Unauthenticated Requests

OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are...

OpenClaw 访问控制错误漏洞

OpenClaw is openclaw open source an intelligent artificial assistant. OpenClaw suffers from an Access Control Error vulnerability that stems from the @openclaw/voice-call plugin Telnyx webhook handler accepting unsigned inbound webhook requests when telnyx.publicKey is not configured, which can b...

GHSA-4HG8-92X6-H2F3 OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests

Summary In affected versions, OpenClaw's optional @openclaw/voice-call plugin Telnyx webhook handler could accept unsigned inbound webhook requests when telnyx.publicKey was not configured, allowing unauthenticated callers to forge Telnyx events. This only impacts deployments where the Voice Call...

PT-2026-20351

Name of the Vulnerable Software and Affected Versions OpenClaw versions prior to 2026.2.14 Description The OpenClaw software, when using the @openclaw/voice-call plugin, is susceptible to an authentication bypass. Specifically, the Telnyx webhook handler could accept unsigned inbound webhook...