CVE-2026-29606 OpenClaw < 2026.2.14 - Webhook Signature Verification Bypass via ngrok Loopback Compatibility

OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly...

CVE-2026-29606

OpenClaw versions prior to 2026.2.14 contain a webhook signature-verification bypass in the voice-call extension that allows unauthenticated requests when the tunnel.allowNgrokFreeTierLoopbackBypass option is explicitly enabled. An external attacker can send forged requests to the publicly...

CVE-2026-29606

OpenClaw before version 2026.2.14 contains a webhook signature-verification bypass in the voice-call extension when tunnel.allowNgrokFreeTierLoopbackBypass is enabled, allowing unauthenticated requests to the publicly reachable webhook endpoint. This can lead to unauthorized webhook event handlin...

OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled

Summary A Twilio webhook signature-verification bypass in the voice-call extension could allow unauthenticated webhook requests when a specific ngrok free-tier compatibility option is enabled. Impact This issue is limited to configurations that explicitly enable and expose the voice-call webhook...

GHSA-C37P-4QQG-3P76 OpenClaw Twilio voice-call webhook auth bypass when ngrok loopback compatibility is enabled

Summary A Twilio webhook signature-verification bypass in the voice-call extension could allow unauthenticated webhook requests when a specific ngrok free-tier compatibility option is enabled. Impact This issue is limited to configurations that explicitly enable and expose the voice-call webhook...