CVE-2026-28446 Overview
OpenClaw versions prior to 2026.2.1 with the voice-call extension installed and enabled contain an authentication bypass vulnerability in inbound allowlist policy validation that accepts empty caller IDs and uses suffix-based matching instead of strict equality. Remote attackers can bypass inbound access controls by placing calls with missing caller IDs or numbers ending with allowlisted digits to reach the voice-call agent and execute tools.
Critical Impact
This authentication bypass vulnerability allows remote attackers to completely circumvent inbound access controls, potentially gaining unauthorized access to the voice-call agent functionality and executing privileged tools without proper authorization.
Affected Products
- OpenClaw versions prior to 2026.2.1 with voice-call extension enabled
- OpenClaw installations using inbound allowlist or pairing policies
- OpenClaw deployments with Telnyx or Twilio voice integration
Discovery Timeline
- 2026-03-05 - CVE CVE-2026-28446 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2026-28446
Vulnerability Analysis
The vulnerability stems from improper authentication validation in the voice-call extension's inbound allowlist functionality. The flawed implementation exhibits two critical weaknesses: first, it accepts empty or missing caller IDs as valid, effectively allowing any call with a spoofed or absent caller identification to pass through the allowlist check. Second, the matching logic uses suffix-based comparison rather than strict equality, meaning an attacker's phone number only needs to end with the same digits as an allowlisted number to be granted access.
This combination of flaws (CWE-303: Incorrect Implementation of Authentication Algorithm) creates a significant attack surface where the authentication mechanism fails to properly validate the identity of inbound callers. The network-accessible nature of voice systems means this vulnerability can be exploited remotely without any prior authentication or user interaction.
Root Cause
The root cause lies in the isAllowlistedCaller function's implementation, which failed to enforce strict phone number matching and did not properly handle edge cases where caller ID information was missing or empty. The original code did not normalize phone numbers before comparison and used suffix-based matching instead of exact equality checks. Additionally, the configuration validation did not require the Telnyx public key when using allowlist or pairing inbound policies, reducing the overall security posture of the authentication mechanism.
Attack Vector
An attacker can exploit this vulnerability through network-based voice calls targeting the OpenClaw voice-call extension. The attack requires no authentication, privileges, or user interaction. By initiating an inbound call with either:
- An empty or missing caller ID, which the vulnerable code incorrectly accepts as valid
- A phone number that ends with the same digits as any allowlisted number (e.g., if +15551234567 is allowlisted, calling from any number ending in 1234567 would match)
Once the attacker bypasses the allowlist validation, they gain access to the voice-call agent and can execute tools that should be restricted to authorized callers only.
// Security patch demonstrating the fix in extensions/voice-call/src/allowlist.ts
+export function normalizePhoneNumber(input?: string): string {
+ if (!input) {
+ return "";
+ }
+ return input.replace(/\D/g, "");
+}
+
+export function isAllowlistedCaller(
+ normalizedFrom: string,
+ allowFrom: string[] | undefined,
+): boolean {
+ if (!normalizedFrom) {
+ return false;
+ }
+ return (allowFrom ?? []).some((num) => {
+ const normalizedAllow = normalizePhoneNumber(num);
+ return normalizedAllow !== "" && normalizedAllow === normalizedFrom;
+ });
+}
Source: GitHub Commit
Detection Methods for CVE-2026-28446
Indicators of Compromise
- Inbound voice calls with missing or empty caller ID fields in call logs
- Multiple calls from different numbers sharing common digit suffixes with allowlisted numbers
- Unauthorized execution of voice-call agent tools from unrecognized caller sources
- Anomalous patterns of inbound calls attempting to access restricted functionality
Detection Strategies
- Monitor voice-call extension logs for calls processed without valid caller ID information
- Implement alerting for calls that pass allowlist validation from numbers not explicitly configured
- Review call detail records (CDRs) for patterns indicating suffix-matching exploitation attempts
- Deploy SentinelOne Singularity to monitor for anomalous process behavior following voice-call agent tool execution
Monitoring Recommendations
- Enable verbose logging on the voice-call extension to capture all inbound call metadata
- Configure alerts for failed authentication attempts followed by successful access from similar number patterns
- Implement network traffic analysis on voice gateway connections to detect caller ID manipulation
- Establish baseline metrics for normal inbound call patterns to identify statistical anomalies
How to Mitigate CVE-2026-28446
Immediate Actions Required
- Upgrade OpenClaw to version 2026.2.1 or later immediately
- If immediate upgrade is not possible, disable the voice-call extension until patching is complete
- Review call logs for any evidence of exploitation prior to patching
- Ensure Telnyx public key is configured when using allowlist or pairing inbound policies
Patch Information
The vulnerability has been addressed in OpenClaw version 2026.2.1. The fix implements proper phone number normalization and enforces strict equality matching instead of suffix-based comparison. Additionally, the configuration validation now requires the Telnyx public key when using allowlist or pairing inbound policies. The security patch is available in commit f8dfd034f5d9235c5485f492a9e4ccc114e97fdb.
For detailed patch information, refer to:
Workarounds
- Disable the voice-call extension entirely if not required for operations
- Switch inbound policy to a more restrictive mode that does not rely solely on caller ID validation
- Implement network-level restrictions to limit inbound voice traffic to known, trusted sources
- Configure additional authentication layers at the voice gateway level before calls reach OpenClaw
# Configuration example - Disable voice-call extension temporarily
# In openclaw configuration file (config.yaml or environment)
OPENCLAW_VOICE_CALL_ENABLED=false
# Or in config.yaml:
# plugins:
# entries:
# voice-call:
# enabled: false
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
