CVE-2026-26319

HIGH7.5EPSS 0.05%

OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests

發布日:2026/2/17修改日:2026/2/20

描述

## Summary In affected versions, OpenClaw's optional `@openclaw/voice-call` plugin Telnyx webhook handler could accept unsigned inbound webhook requests when `telnyx.publicKey` was not configured, allowing unauthenticated callers to forge Telnyx events. This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy). ## Affected Packages / Versions - Package: `openclaw` (npm) - Affected: `<= 2026.2.13` - Fixed: `>= 2026.2.14` (planned) ## Details Telnyx webhooks are expected to be authenticated via Ed25519 signature verification. In affected versions, `TelnyxProvider.verifyWebhook()` could effectively fail open when no Telnyx public key was configured, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events. ## Fix The fix makes Telnyx webhook verification fail closed by default and requires `telnyx.publicKey` (or `TELNYX_PUBLIC_KEY`) to be configured. A signature verification bypass exists only for local development via `skipSignatureVerification: true`, which is off by default, emits a loud startup warning, and should not be used in production. This requirement is documented in the Voice Call plugin docs. ## Fix Commit(s) - `29b587e73cbdc941caec573facd16e87d52f007b` - `f47584fec` (centralized verification helper + stronger tests) ## Workarounds - Configure `plugins.entries.voice-call.config.telnyx.publicKey` (or `TELNYX_PUBLIC_KEY`) to enable signature verification. - Only for local development: set `skipSignatureVerification: true`. Thanks @p80n-sec for reporting.

受影響套件(1)

npm/openclawfrom 0, < 2026.2.14

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

描述

受影響套件(1)

CVSS 分數

參考連結(6)