CVE-2026-26319

EPSS 0.04%
Veröffentlicht 19.02.2026 22:05:26
Zuletzt bearbeitet 20.02.2026 19:03:02
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

OpenClaw is a personal AI assistant. Versions 2026.2.13 and below allow the optional @openclaw/voice-call plugin Telnyx webhook handler to accept unsigned inbound webhook requests when telnyx.publicKey is not configured, enabling unauthenticated callers to forge Telnyx events. Telnyx webhooks are expected to be authenticated via Ed25519 signature verification. In affected versions, TelnyxProvider.verifyWebhook() could effectively fail open when no Telnyx public key was configured, allowing arbitrary HTTP POST requests to the voice-call webhook endpoint to be treated as legitimate Telnyx events. This only impacts deployments where the Voice Call plugin is installed, enabled, and the webhook endpoint is reachable from the attacker (for example, publicly exposed via a tunnel/proxy). The issue has been fixed in version 2026.2.14.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

OpenClaw ≫ OpenClaw SwPlatformnode.js Version < 2026.2.14

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.04%	0.124

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE-306 Missing Authentication for Critical Function

The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources.

https://github.com/openclaw/openclaw/releases/tag/v2026.2.14

Product

Release Notes

https://github.com/openclaw/openclaw/security/advisories/GHSA-4hg8-92x6-h2f3

Vendor Advisory

Mitigation

https://github.com/openclaw/openclaw/commit/29b587e73cbdc941caec573facd16e87d52f007b

Patch

https://github.com/openclaw/openclaw/commit/f47584fec86d6d73f2d483043a2ad0e7e3c50411

Patch

https://nvd.nist.gov/vuln/detail/CVE-2026-26319

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-26319

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-26319

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-26319