Main Vulnerability Database Vulnerabilities #VU129477

Missing Authentication for Critical Function in OpenClaw - CVE-2026-26319

Published: May 4, 2026

Vulnerability identifier: #VU129477

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2026-26319

CWE-ID: CWE-306

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: OpenClaw

Affected software:
OpenClaw

Detailed vulnerability description

The vulnerability allows a remote attacker to forge Telnyx events.

The vulnerability exists due to missing authentication for the Telnyx webhook handler in TelnyxProvider.verifyWebhook() when handling inbound webhook requests without telnyx.publicKey configured. A remote attacker can send arbitrary HTTP POST requests to the voice-call webhook endpoint to forge Telnyx events.

This only affects deployments where the Voice Call plugin is installed and enabled, and where the webhook endpoint is reachable by the attacker.

How to mitigate CVE-2026-26319

Install security update from vendor's website.

Sources

https://github.com/openclaw/openclaw/security/advisories/GHSA-4hg8-92x6-h2f3

Missing Authentication for Critical Function in OpenClaw - CVE-2026-26319

Detailed vulnerability description

How to mitigate CVE-2026-26319

Sources

Please verify you're human