CVE-2026-26319: OpenClaw is Missing Webhook Authentication in Telnyx Provider Allows Unauthenticated Requests
(updated )
In affected versions, OpenClaw’s optional @openclaw/voice-call plugin Telnyx webhook handler could accept unsigned inbound webhook requests when telnyx.publicKey was not configured, allowing unauthenticated callers to forge Telnyx events.
This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy).
References
- github.com/advisories/GHSA-4hg8-92x6-h2f3
- github.com/openclaw/openclaw
- github.com/openclaw/openclaw/commit/29b587e73cbdc941caec573facd16e87d52f007b
- github.com/openclaw/openclaw/commit/f47584fec86d6d73f2d483043a2ad0e7e3c50411
- github.com/openclaw/openclaw/releases/tag/v2026.2.14
- github.com/openclaw/openclaw/security/advisories/GHSA-4hg8-92x6-h2f3
- nvd.nist.gov/vuln/detail/CVE-2026-26319
Code Behaviors & Features
Detect and mitigate CVE-2026-26319 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →